The Like-it plugin for WordPress, developed by nikolayyordanov, suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-12404. This vulnerability exists in all versions up to and including 2.2 due to missing or improper nonce validation in the likeit_conf() function, which handles configuration updates. Nonces are security tokens used to verify that requests originate from legitimate users and prevent unauthorized actions. Without proper nonce validation, attackers can craft malicious requests that, when executed by an authenticated administrator (e.g., by clicking a malicious link), cause unauthorized changes to plugin settings or injection of malicious web scripts. This can lead to persistent cross-site scripting (XSS) or other malicious behaviors embedded within the plugin's functionality. The attack vector is remote and requires no authentication but does require user interaction from a privileged user. The vulnerability impacts the confidentiality and integrity of the affected WordPress site by enabling unauthorized configuration changes and potential script injection, but it does not affect availability. The CVSS 3.1 score of 6.1 reflects these factors, with an attack vector of network, low attack complexity, no privileges required, user interaction required, and scope changed due to potential impact beyond the vulnerable component. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on 2025-10-28 and published on 2025-11-18.

The primary impact of this vulnerability is unauthorized modification of the Like-it plugin's settings and potential injection of malicious scripts, which can compromise the confidentiality and integrity of affected WordPress sites. Attackers can leverage this to insert persistent malicious code, potentially leading to further exploitation such as credential theft, site defacement, or distribution of malware to site visitors. Since the attack requires an administrator to perform an action, the risk is elevated for sites with multiple or less security-aware administrators. Exploitation could undermine user trust, damage brand reputation, and lead to regulatory or compliance issues if sensitive data is exposed or manipulated. Although availability is not directly impacted, the broader consequences of injected malicious scripts could indirectly affect site performance or user experience. Organizations relying on the Like-it plugin, especially those with high-traffic or sensitive content, face increased risk of targeted attacks exploiting this vulnerability.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates from the plugin developer once available. In the absence of a patch, administrators should consider temporarily disabling the Like-it plugin to prevent exploitation. Implementing Web Application Firewall (WAF) rules that detect and block suspicious CSRF attempts targeting the likeit_conf() function can reduce risk. Administrators should be trained to avoid clicking on untrusted links, especially when logged into WordPress admin panels. Additionally, enforcing multi-factor authentication (MFA) for administrator accounts can reduce the impact of compromised credentials. Site owners can also implement Content Security Policy (CSP) headers to limit the impact of injected scripts. Regular monitoring of plugin configuration changes and audit logs can help detect unauthorized modifications early. Finally, consider using security plugins that provide enhanced nonce validation or CSRF protections as a compensating control until an official fix is released.