CVE-2026-0909 - WP ULike <= 4.8.3.1 - insecure direct object reference to authenticated (subscrib...

CVE ID : CVE-2026-0909 Published : Feb. 3, 2026, 4:15 a.m. | 19 minutes ago Description : The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.8.3.1. This is due to the `wp_ulike_delete_history_api` AJAX action not verifying that the log entry being deleted belongs to the current user. This makes it possible for authenticated attackers, with Subscriber-level access and above (granted the 'stats' capability is assigned to their role), to delete arbitrary log entries belonging to other users via the 'id' parameter. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...