{"id":"CVE-2026-2358","details":"The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including, 5.0.1. This is due to the use of `html_entity_decode()` on shortcode attributes without subsequent output sanitization, which effectively bypasses WordPress's `wp_kses_post()` content filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The post must have at least one like for the XSS to render.","modified":"2026-04-02T13:13:17.653704Z","published":"2026-03-11T06:17:14.033Z","references":[{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/hooks/shortcodes.php#L209"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475381%40wp-ulike%2Ftrunk&old=3457255%40wp-ulike%2Ftrunk&sfp_email=&sfph_mail="},{"type":"WEB","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/74a7db23-f91c-452b-bc24-58fda69caf17?source=cve"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/functions/general.php#L375"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/functions/utilities.php#L226"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/includes/functions/utilities.php#L251"},{"type":"FIX","url":"https://github.com/Alimir/wp-ulike/commit/3dcce696ea251b3733448332cc167e03b2a17c12"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/alimir/wp-ulike","events":[{"introduced":"0"},{"fixed":"3dcce696ea251b3733448332cc167e03b2a17c12"}]}],"versions":["3.6.1","3.6.2","4.0.0","4.0.2","4.0.3","4.0.4","4.0.5","4.1.0","4.1.1","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.1.9","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.3.0","4.3.1","4.3.2","4.3.3","4.3.6","4.4.0","4.4.1","4.4.2","4.4.3","4.4.5","4.4.6","4.4.7","4.4.8","4.4.9","4.5.0","4.5.1","4.5.5","4.6.1","4.6.7","4.6.8","4.7.2","4.7.4","4.7.6","4.7.9","5.0.0","v3.3","v3.3.1","v3.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2358.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}]}