The WP ULike plugin, widely used for engagement analytics and interactive buttons on WordPress sites, suffers from an authorization bypass vulnerability identified as CVE-2026-0909. This vulnerability is due to an Insecure Direct Object Reference (IDOR) flaw (CWE-639) in the AJAX action 'wp_ulike_delete_history_api'. Specifically, the plugin does not verify whether the log entry targeted for deletion belongs to the authenticated user initiating the request. As a result, any authenticated user with at least Subscriber-level access and the 'stats' capability assigned to their role can delete arbitrary log entries belonging to other users by manipulating the 'id' parameter in the AJAX request. The vulnerability affects all versions up to and including 4.8.3.1. The CVSS 3.1 base score is 5.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), integrity impact (I:L), and no availability impact (A:N). The flaw compromises data integrity by allowing unauthorized deletion of user engagement logs, which could affect analytics accuracy and user activity records. No patches or exploits are currently publicly available, but the vulnerability poses a risk to WordPress sites relying on this plugin for audience engagement metrics.

The primary impact of CVE-2026-0909 is on the integrity of user engagement data within WordPress sites using the WP ULike plugin. Unauthorized deletion of log entries can lead to inaccurate analytics, loss of historical user interaction data, and potential disruption of audience understanding. While this does not directly affect confidentiality or availability, the manipulation of engagement data can undermine trust in analytics-driven decisions and marketing strategies. For organizations relying heavily on user engagement metrics for business intelligence, this could result in misguided decisions or loss of competitive advantage. Additionally, if log entries are used for auditing or compliance purposes, their unauthorized deletion could complicate forensic investigations or regulatory reporting. The vulnerability requires only authenticated access with minimal privileges, increasing the risk of exploitation by low-level users or compromised accounts. Although no known exploits are reported, the ease of exploitation and broad user base of WordPress sites make this a relevant threat to many organizations worldwide.

To mitigate CVE-2026-0909, organizations should immediately update the WP ULike plugin to a patched version once available. In the absence of an official patch, administrators can implement custom access control checks in the plugin code to verify that the authenticated user owns the log entry before allowing deletion. Restricting the 'stats' capability to trusted roles only and auditing user roles and permissions can reduce the attack surface. Employing Web Application Firewalls (WAFs) to monitor and block suspicious AJAX requests targeting the 'wp_ulike_delete_history_api' action can provide temporary protection. Regularly reviewing user activity logs for unusual deletion patterns and enforcing strong authentication mechanisms to prevent account compromise are also recommended. Finally, organizations should consider isolating or limiting plugin usage on critical systems until the vulnerability is resolved.