CVE-2025-25115

Vulnerability

Overview

The Like dislike plus counter plugin for WordPress (versions up to and including 1.0) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users view the affected page.

Exploitation

Details

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form [1]. The attacker does not need direct access to the site but must convince a privileged user to interact with the crafted payload. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Impact

Successful exploitation allows an attacker to inject malicious scripts that can perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing sensitive information [1]. The injected content executes in the context of the victim's browser, potentially compromising the integrity and trustworthiness of the affected website.

Mitigation

As of the publication date (2025-03-03), no official patch has been released for this vulnerability. However, Patchstack has issued a mitigation rule to block attacks until an official fix is available and can be safely applied [1]. Users are advised to update the plugin as soon as a patched version is released or to contact their hosting provider for assistance. If unable to update, implementing the Patchstack rule is recommended.