CVE-2026-0909 – The WP ULike WordPress plugin has an Insecure D... (How to Fix)

Q: What is the severity of CVE-2026-0909?

CVE-2026-0909 has a CVSS score of 5.3 (MEDIUM). The WP ULike WordPress plugin has an Insecure Direct Object Reference vulnerability that allows authenticated attackers with Subscriber-level access or higher to delete arbitrary log entries belonging to other users. This occurs because the plugin doesn't verify ownership before deleting log entries via the AJAX API. WordPress sites using WP ULike version 4.8.3.1 or earlier are affected.

📋 TL;DR

The WP ULike WordPress plugin has an Insecure Direct Object Reference vulnerability that allows authenticated attackers with Subscriber-level access or higher to delete arbitrary log entries belonging to other users. This occurs because the plugin doesn't verify ownership before deleting log entries via the AJAX API. WordPress sites using WP ULike version 4.8.3.1 or earlier are affected.

💻 Affected Systems

Products:

WP ULike WordPress Plugin

Versions: All versions up to and including 4.8.3.1

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated users with Subscriber role or higher AND the 'stats' capability assigned to their role.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete all user activity logs, disrupting audit trails and potentially enabling further attacks by removing evidence of malicious activity.

🟠

Likely Case

Malicious users deleting other users' like/dislike history, causing data integrity issues and user experience problems.

🟢

If Mitigated

Minimal impact with proper access controls and monitoring, as only authenticated users with specific capabilities can exploit this.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and knowledge of target log entry IDs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 4.8.3.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3451296/wp-ulike/trunk/admin/admin-ajax.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP ULike and click 'Update Now'. 4. Alternatively, download latest version from WordPress plugin repository and replace plugin files.

🔧 Temporary Workarounds

Disable WP ULike Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate wp-ulike

Restrict User Capabilities

all

Remove 'stats' capability from Subscriber and other low-privilege roles

wp cap remove subscriber stats
wp cap remove contributor stats

🧯 If You Can't Patch

Implement web application firewall rules to block requests to wp_ulike_delete_history_api endpoint
Enable detailed logging of all AJAX requests to monitor for suspicious delete operations

🔍 How to Verify

Check if Vulnerable:

Check WP ULike plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin get wp-ulike --field=version

Verify Fix Applied:

Verify plugin version is higher than 4.8.3.1 and test delete functionality with different user accounts

📡 Detection & Monitoring

Log Indicators:

Multiple DELETE requests to admin-ajax.php with wp_ulike_delete_history_api action from single user
Unusual pattern of log entry deletions across different user IDs

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with action=wp_ulike_delete_history_api and varying id parameters

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "wp_ulike_delete_history_api" AND "DELETE"

📊 Metadata

CVE ID: CVE-2026-0909

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-639

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy