Scan free
MEDIUMCVE-2025-12404CVSS 6.1

CVE-2025-12404: XSS in Like-it WordPress Plugin

Platform

wordpress

Component

like-it

Fixed in

2.2.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-12404 identifies a Cross-Site Scripting (XSS) vulnerability affecting the Like-it plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious web scripts by exploiting insufficient nonce validation within the likeit_conf() function. The vulnerability impacts versions 0.0.0 through 2.2 of the plugin and requires an attacker to trick a site administrator into performing an action. A fix is expected to be released by the vendor.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

Successful exploitation of CVE-2025-12404 allows an attacker to inject arbitrary JavaScript code into a WordPress site. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data. The attacker needs to craft a Cross-Site Request Forgery (CSRF) attack, tricking a site administrator into clicking a malicious link or visiting a compromised page. The blast radius is limited to users who interact with the affected WordPress site and are susceptible to CSRF attacks.

Exploitation Context

CVE-2025-12404 was publicly disclosed on 2025-11-18. No public proof-of-concept (PoC) code has been released at the time of writing. It is not currently listed on the CISA KEV catalog. The EPSS score is likely to be Low to Medium, given the requirement for administrator interaction and the absence of a public exploit.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.03% (7% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N6.1MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentlike-it
Vendorwordfence
Affected rangeFixed in
0 – 2.22.2.1

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 187 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-12404 is to upgrade the Like-it plugin to a version containing the security fix. If upgrading is not immediately feasible, consider implementing stricter CSRF protection measures at the web server level, such as implementing double-submit cookies or utilizing a Web Application Firewall (WAF) with CSRF protection rules. Regularly review WordPress plugin configurations and ensure that only trusted plugins are installed and kept up-to-date. After upgrading, confirm the fix by attempting to trigger the vulnerable likeit_conf() function with a forged request and verifying that the action is blocked.

How to fix

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-12404 — XSS in Like-it WordPress Plugin?

CVE-2025-12404 is a Cross-Site Scripting vulnerability in the Like-it WordPress plugin, allowing attackers to inject malicious scripts via forged requests due to missing nonce validation.

Am I affected by CVE-2025-12404 in Like-it WordPress Plugin?

You are affected if your WordPress site uses the Like-it plugin in versions 0.0.0 through 2.2. Upgrade to a patched version to resolve the vulnerability.

How do I fix CVE-2025-12404 in Like-it WordPress Plugin?

The recommended fix is to upgrade the Like-it plugin to a version containing the security patch. If upgrading is not possible, implement stricter CSRF protection measures.

Is CVE-2025-12404 being actively exploited?

There is no confirmed active exploitation of CVE-2025-12404 at this time, but it is crucial to apply the patch to prevent potential future attacks.

Where can I find the official Like-it advisory for CVE-2025-12404?

Please refer to the WordPress plugin repository or the Like-it plugin developer's website for the official advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs