The WP ULike plugin for WordPress, designed to add like and dislike buttons for engagement, suffers from a stored cross-site scripting vulnerability identified as CVE-2026-2358. This vulnerability exists in the handling of the 'template' attribute of the shortcode [wp_ulike_likers_box]. The plugin uses the PHP function html_entity_decode() on shortcode attributes but fails to apply subsequent output sanitization such as wp_kses_post(), which is standard in WordPress to filter potentially malicious HTML content. This flaw allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into posts. The malicious payload is stored persistently and executed whenever any user accesses the infected page, provided the post has at least one like, which triggers the rendering of the vulnerable shortcode. The vulnerability impacts all versions up to and including 5.0.1 of the plugin. Exploitation does not require user interaction beyond viewing the page, and the attack scope includes confidentiality and integrity impacts, such as stealing cookies or performing actions on behalf of users. Although no known exploits have been reported in the wild, the vulnerability's presence in a popular WordPress plugin makes it a significant risk. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change with partial confidentiality and integrity impact.

This vulnerability can lead to significant security risks for websites using the WP ULike plugin. Attackers with Contributor-level access can inject persistent malicious scripts, which execute in the browsers of site visitors and administrators. This can result in session hijacking, defacement, unauthorized actions, or distribution of malware. Since WordPress powers a large portion of the web, including many business, e-commerce, and community sites, exploitation could compromise sensitive user data and site integrity. The requirement for authenticated access limits exposure somewhat, but many WordPress sites allow user registrations with Contributor or higher roles, increasing risk. The vulnerability's ability to bypass WordPress's default content filtering mechanisms exacerbates the threat. Organizations relying on this plugin face potential reputational damage, data breaches, and operational disruptions if exploited.

Immediate mitigation involves updating the WP ULike plugin to a version where this vulnerability is patched; however, no patch links are currently provided, so monitoring vendor updates is critical. Until a patch is available, administrators should restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious input. Additionally, implementing a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode attribute payloads can help prevent exploitation. Site owners should audit existing posts with likes for injected scripts and remove any suspicious content. Employing additional output sanitization or filtering plugins that enforce strict HTML content policies can mitigate risk. Regular security scanning and monitoring for anomalous behavior or injected scripts are also recommended. Finally, educating site administrators and users about the risks and signs of XSS attacks can improve detection and response.