CVE-2024-12770 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP ULike WordPress plugin versions prior to 4.7.6. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings, allowing high-privilege users, such as administrators, to inject malicious scripts. Notably, this vulnerability can be exploited even when the 'unfiltered_html' capability is disabled, such as in multisite WordPress configurations, which typically restricts HTML content to trusted users. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 4.8 (medium severity), with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, meaning the attack can be launched remotely over the network with low attack complexity, requires high privileges, and user interaction is needed. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss but no availability impact. Since the vulnerability requires a high-privilege user to perform the attack and user interaction (such as clicking a crafted link) is necessary, exploitation is somewhat constrained. However, successful exploitation could allow an attacker to execute arbitrary JavaScript in the context of the affected site, potentially leading to session hijacking, privilege escalation, or further compromise within the WordPress environment. No known exploits are currently reported in the wild, and no official patch links are provided yet. The vulnerability was reserved in December 2024 and published in May 2025.

For European organizations using WordPress sites with the WP ULike plugin, this vulnerability poses a moderate risk. Since exploitation requires high privileges, the primary threat vector is insider threats or compromised administrator accounts. If exploited, attackers could inject malicious scripts that affect site administrators or other users, potentially leading to session hijacking, unauthorized actions, or data leakage within the WordPress environment. This could undermine trust in the affected websites, lead to defacement, or facilitate further attacks such as phishing or malware distribution. Multisite WordPress setups, common in larger organizations or managed hosting environments, are particularly at risk because the vulnerability bypasses the usual 'unfiltered_html' restrictions. European organizations with public-facing WordPress sites that use WP ULike for user engagement or content interaction should be vigilant, as exploitation could impact confidentiality and integrity of site content and user data. While availability is not directly affected, reputational damage and compliance risks (e.g., GDPR concerns if personal data is exposed) are relevant considerations.

1. Immediate mitigation involves restricting administrative access to trusted personnel only and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised high-privilege accounts. 2. Monitor and audit administrator activities and plugin settings changes to detect suspicious behavior that might indicate exploitation attempts. 3. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS payloads by restricting the execution of unauthorized scripts. 4. Until an official patch is released, consider disabling or removing the WP ULike plugin if it is not critical to operations, or isolate it in a staging environment for testing. 5. Regularly update WordPress core and all plugins, and subscribe to vulnerability disclosure feeds to apply patches promptly once available. 6. For multisite environments, review and tighten capability assignments and consider additional input validation or sanitization at the application or web server level. 7. Educate administrators about the risks of stored XSS and safe handling of plugin settings to avoid inadvertent injection of malicious content.