Medium severity6.1NVD Advisory· Published Aug 28, 2025· Updated Apr 15, 2026

CVE-2024-9648

Description

The WP ULike Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the WP_Ulike_Pro_File_Uploader class in all versions up to, and including, 1.9.3. This makes it possible for unauthenticated attackers to upload limited arbitrary files like .php2, .php6, .php7, .phps, .pht, .phtm, .pgif, .shtml, .phar, .inc, .hphp, .ctp, .module, .html, .svg on the affected site's server which may make make other attacks like Cross-Site Scripting possible. Only versions up to 1.8.7 were confirmed vulnerable, however, the earliest tested version for a patch we have access to is 1.9.4, so we are considering 1.9.4 the patched version.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The WP ULike Pro plugin for WordPress (versions ≤1.9.3) allows unauthenticated arbitrary file uploads of limited types, enabling potential XSS attacks.

Vulnerability

Overview

The WP ULike Pro plugin [1] for WordPress contains an arbitrary file upload vulnerability in the WP_Ulike_Pro_File_Uploader class due to insufficient file type validation. This affects all versions up to and including 1.9.3, though only versions up to 1.8.7 have been confirmed vulnerable. The flaw allows unauthenticated attackers to upload files with extensions such as .php2, .php6, .php7, .phps, .pht, .phtm, .pgif, .shtml, .phar, .inc, .hphp, .ctp, .module, .html, and .svg.

Exploitation

An unauthenticated attacker can exploit this by sending a crafted file upload request to the vulnerable endpoint. No authentication or special privileges are required. The uploaded file types are limited but include .html and .svg, which can be used to inject malicious scripts. Other extensions like .phar or .shtml may be leveraged if the server is misconfigured to execute them.

Impact

Successful exploitation allows an attacker to store arbitrary HTML or SVG files on the server, leading to stored Cross-Site Scripting (XSS) attacks when other users view the uploaded content. In some server configurations, the uploaded files could potentially be executed, leading to more severe consequences such as remote code execution.

Mitigation

The vulnerability is patched in version 1.9.4. Users are strongly advised to update to the latest version immediately. No workarounds have been provided by the vendor.

References

WP ULike: Engagement Analytics That Grow Your Audience

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Wpulike/Wp Ulikellm-fuzzy
Range: <=1.9.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000