CVE-2025-12404 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Like-it plugin for WordPress, developed by nikolayyordanov, affecting all versions up to and including 2.2. The vulnerability stems from missing or incorrect nonce validation in the likeit_conf() function, which is responsible for handling configuration changes within the plugin. Nonces are security tokens used to verify that requests originate from legitimate users and prevent unauthorized commands. The absence or improper implementation of nonce checks allows attackers to craft malicious web requests that, when executed by an authenticated site administrator (e.g., via clicking a malicious link), can alter plugin settings or inject malicious scripts into the website. This attack vector does not require the attacker to be authenticated but does require user interaction from an administrator, making social engineering a key component of exploitation. The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change. The impact affects confidentiality and integrity by enabling unauthorized configuration changes and script injection, potentially leading to data exposure or further compromise. No availability impact is noted. No public exploits have been reported yet, but the vulnerability is published and should be considered a risk for WordPress sites using this plugin. The lack of an official patch link suggests that users should monitor vendor updates closely. The vulnerability is cataloged under CWE-352, a common web security weakness related to CSRF attacks.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of their WordPress-based websites. Attackers exploiting this flaw can manipulate plugin settings and inject malicious scripts, which could lead to unauthorized data disclosure, defacement, or further compromise of the web environment. Organizations relying on the Like-it plugin for user engagement features may face reputational damage if attackers leverage this vulnerability to spread malware or phishing content. The requirement for administrator interaction means that targeted phishing or social engineering campaigns could be effective, increasing the risk for organizations with less security-aware staff. Given the widespread use of WordPress across Europe, especially in small to medium enterprises and public sector websites, the vulnerability could have broad impact if not addressed. However, the absence of known exploits in the wild currently reduces immediate risk, though this could change rapidly once exploit code becomes available. The medium CVSS score reflects a moderate risk level but should not be underestimated due to the potential for chained attacks following successful exploitation.

1. Monitor the Like-it plugin vendor's official channels for security patches and apply updates promptly once available. 2. Until patches are released, consider disabling or removing the Like-it plugin if it is not critical to operations. 3. Implement strict role-based access controls to limit administrative privileges only to essential personnel. 4. Educate administrators and users about phishing and social engineering tactics to reduce the likelihood of inadvertent interaction with malicious links. 5. Deploy Web Application Firewalls (WAFs) with rules to detect and block CSRF attempts and suspicious POST requests targeting the likeit_conf() endpoint. 6. Enable Content Security Policy (CSP) headers to mitigate the impact of injected scripts. 7. Regularly audit WordPress plugins and their configurations for security best practices. 8. Use security plugins that provide additional nonce validation or CSRF protections as a temporary workaround. 9. Monitor logs for unusual configuration changes or unexpected administrative actions. 10. Consider implementing multi-factor authentication (MFA) for WordPress administrator accounts to reduce the risk of compromised credentials facilitating exploitation.