CVE-2026-0909 identifies an authorization bypass vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key) in the WP ULike plugin for WordPress, versions up to and including 4.8.3.1. The vulnerability stems from the 'wp_ulike_delete_history_api' AJAX action, which allows deletion of user log entries without verifying that the entry belongs to the authenticated user making the request. Specifically, the plugin does not check ownership of the log entry identified by the 'id' parameter before performing deletion. This insecure direct object reference (IDOR) flaw enables any authenticated user with at least Subscriber-level access and the 'stats' capability assigned to their role to delete arbitrary log entries of other users. The vulnerability does not require elevated privileges beyond the 'stats' capability, nor does it require user interaction beyond authentication. The CVSS v3.1 score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity (deletion of logs) without affecting confidentiality or availability. No patches or known exploits are currently reported, but the vulnerability poses a risk to the integrity of engagement analytics data, potentially undermining audit trails or user activity records. The plugin is widely used for engagement analytics and interactive buttons on WordPress sites, making this vulnerability relevant to many websites relying on WP ULike for audience insights.

For European organizations, the primary impact of CVE-2026-0909 lies in the integrity loss of user engagement logs and analytics data. Attackers with minimal privileges can delete log entries belonging to other users, potentially disrupting audit trails, skewing analytics, or covering malicious activity. While this does not directly compromise sensitive data confidentiality or system availability, it undermines trustworthiness of user interaction records and may hinder incident investigations. Organizations relying on WP ULike for marketing insights, user behavior analysis, or compliance reporting may face data reliability issues. Additionally, if log deletion is combined with other vulnerabilities or insider threats, it could facilitate more severe attacks. The vulnerability’s exploitation requires authenticated access with the 'stats' capability, which may be assigned to Subscriber roles or other low-privilege accounts, increasing the attack surface. European entities with public-facing WordPress sites using this plugin should consider the risk of unauthorized log manipulation, especially in sectors where accurate user engagement data is critical, such as e-commerce, media, and public services.

To mitigate CVE-2026-0909, European organizations should first verify whether their WordPress installations use the WP ULike plugin and identify the version in use. Since no official patch is currently available, administrators should consider the following specific actions: 1) Restrict the 'stats' capability to trusted roles only, removing it from Subscriber or other low-privilege accounts to limit who can invoke the vulnerable AJAX action. 2) Implement additional access control checks via custom code or security plugins to verify ownership of log entries before deletion. 3) Monitor and audit user activity logs for unusual deletion patterns or unauthorized access attempts. 4) Temporarily disable or remove the WP ULike plugin if the risk outweighs the benefit until a patch is released. 5) Engage with the plugin vendor or WordPress security community to track patch releases and apply updates promptly. 6) Harden WordPress installations by enforcing strong authentication, limiting plugin installations, and applying the principle of least privilege to user roles. These targeted mitigations go beyond generic advice by focusing on capability restriction and ownership verification specific to this vulnerability.