CVE-2024-9649 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability identified in the WP ULike – All-in-One Engagement Toolkit plugin for WordPress, affecting all versions up to and including 4.7.4. The vulnerability stems from missing or incorrect nonce validation in the wp_ulike_delete_history_api() function, which is responsible for handling requests to delete user engagement history. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. The absence or improper implementation of nonce validation allows an unauthenticated attacker to craft a malicious request that, when executed by an authenticated administrator (via clicking a specially crafted link), results in the deletion of engagement data. This attack vector requires user interaction and targets the integrity of the engagement data stored by the plugin. The vulnerability does not grant access to confidential information nor does it cause denial of service, but it can disrupt the accuracy and completeness of engagement metrics. The CVSS 3.1 score of 4.3 reflects the network attack vector, low attack complexity, no privileges required, but user interaction is necessary. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly to prevent potential misuse.

The primary impact of this vulnerability is the unauthorized deletion of engagement data within the WP ULike plugin, which can undermine the integrity of user interaction metrics on affected websites. For organizations relying on these metrics for marketing, user engagement analysis, or community management, this could lead to inaccurate reporting and decision-making. While the vulnerability does not expose sensitive data or cause service outages, the manipulation of engagement history could affect trustworthiness and operational insights. Attackers could exploit this flaw to sabotage competitor websites or disrupt community engagement on high-profile sites. Since exploitation requires an administrator to be tricked into clicking a malicious link, the risk is somewhat mitigated by user awareness but remains significant in environments with less stringent security training. The widespread use of WordPress globally, combined with the popularity of engagement plugins, means many websites could be affected, especially those with active administrative users who might be targeted via phishing or social engineering campaigns.

To mitigate this vulnerability, organizations should first check for updates from the plugin vendor and apply any patches or newer versions that address the nonce validation issue. If no patch is available, administrators can implement manual nonce verification in the wp_ulike_delete_history_api() function to ensure requests are legitimate. Additionally, enforcing strict Content Security Policy (CSP) headers can help reduce the risk of CSRF by limiting the domains from which scripts can be loaded. Administrators should also be trained to recognize phishing attempts and avoid clicking suspicious links, especially when logged into administrative accounts. Employing multi-factor authentication (MFA) for WordPress admin accounts can reduce the risk of account compromise. Finally, monitoring logs for unusual deletion requests and maintaining regular backups of engagement data will aid in quick recovery if exploitation occurs.