CVE-2025-12404 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Like-it plugin for WordPress, developed by nikolayyordanov. This vulnerability affects all versions up to and including 2.2 due to missing or incorrect nonce validation in the likeit_conf() function. Nonces are security tokens used to verify that requests originate from legitimate users; their absence or improper implementation allows attackers to craft malicious requests that appear legitimate to the server. In this case, an unauthenticated attacker can exploit the vulnerability by tricking a site administrator into clicking a specially crafted link or visiting a malicious webpage. Once the administrator interacts with the malicious request, the attacker can update plugin settings and inject malicious web scripts, potentially leading to unauthorized changes in site behavior or the execution of arbitrary scripts within the administrator's context. The vulnerability impacts the confidentiality and integrity of the affected WordPress site but does not directly affect availability. The CVSS v3.1 score is 6.1 (medium), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction and having a scope change. No known exploits have been reported in the wild as of the publication date, but the risk remains significant due to the widespread use of WordPress and the Like-it plugin. The vulnerability is classified under CWE-352, which covers CSRF issues. The lack of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps by administrators.

For European organizations, this vulnerability poses a risk primarily to websites using the Like-it WordPress plugin, which is popular for adding like buttons and social interaction features. Successful exploitation could allow attackers to alter plugin configurations and inject malicious scripts, potentially leading to unauthorized data exposure, defacement, or further compromise through script execution in the context of an administrator. This can undermine trust in the affected websites, lead to data breaches, and facilitate subsequent attacks such as phishing or malware distribution. Since the attack requires an administrator to interact with a malicious link, targeted social engineering campaigns could be effective. The impact is heightened for organizations relying heavily on WordPress for public-facing or internal portals, especially those handling sensitive user data or critical business functions. Disruption of website integrity can also affect brand reputation and compliance with data protection regulations like GDPR if personal data is compromised. Although availability is not directly impacted, the indirect consequences of injected malicious scripts could lead to service interruptions or blacklisting by security services.

1. Monitor for and apply official patches or updates from the Like-it plugin developer as soon as they become available. 2. Until a patch is released, restrict administrative access to trusted personnel and enforce the use of multi-factor authentication (MFA) to reduce the risk of compromised credentials. 3. Educate administrators about the risks of clicking unsolicited links and implement email filtering to reduce phishing attempts. 4. Employ Web Application Firewalls (WAFs) with rules designed to detect and block CSRF attack patterns targeting the likeit_conf() function or suspicious POST requests to plugin endpoints. 5. Implement Content Security Policy (CSP) headers to mitigate the impact of injected scripts. 6. Regularly audit plugin configurations and website content for unauthorized changes or injected scripts. 7. Consider temporarily disabling or replacing the Like-it plugin with alternative solutions that do not have this vulnerability if immediate patching is not possible. 8. Use security plugins that can detect and alert on suspicious administrative actions or configuration changes within WordPress.