MEDIUMCVE-2025-12404CVSS 6.1

Like-it <= 2.2 - 跨站请求伪造到存储型跨站脚本

Q: What is CVE-2025-12404 — XSS in Like-it WordPress Plugin?

CVE-2025-12404 is a Cross-Site Scripting vulnerability in the Like-it WordPress plugin, allowing attackers to inject malicious scripts via forged requests due to missing nonce validation.

Q: Am I affected by CVE-2025-12404 in Like-it WordPress Plugin?

You are affected if your WordPress site uses the Like-it plugin in versions 0.0.0 through 2.2. Upgrade to a patched version to resolve the vulnerability.

Q: How do I fix CVE-2025-12404 in Like-it WordPress Plugin?

The recommended fix is to upgrade the Like-it plugin to a version containing the security patch. If upgrading is not possible, implement stricter CSRF protection measures.

Q: Is CVE-2025-12404 being actively exploited?

There is no confirmed active exploitation of CVE-2025-12404 at this time, but it is crucial to apply the patch to prevent potential future attacks.

Q: Where can I find the official Like-it advisory for CVE-2025-12404?

Please refer to the WordPress plugin repository or the Like-it plugin developer's website for the official advisory and update information.

平台

wordpress

组件

like-it

修复版本

2.2.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2025-12404 identifies a Cross-Site Scripting (XSS) vulnerability affecting the Like-it plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious web scripts by exploiting insufficient nonce validation within the likeit_conf() function. The vulnerability impacts versions 0.0.0 through 2.2 of the plugin and requires an attacker to trick a site administrator into performing an action. A fix is expected to be released by the vendor.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

Successful exploitation of CVE-2025-12404 allows an attacker to inject arbitrary JavaScript code into a WordPress site. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data. The attacker needs to craft a Cross-Site Request Forgery (CSRF) attack, tricking a site administrator into clicking a malicious link or visiting a compromised page. The blast radius is limited to users who interact with the affected WordPress site and are susceptible to CSRF attacks.

利用背景翻译中…

CVE-2025-12404 was publicly disclosed on 2025-11-18. No public proof-of-concept (PoC) code has been released at the time of writing. It is not currently listed on the CISA KEV catalog. The EPSS score is likely to be Low to Medium, given the requirement for administrator interaction and the absence of a public exploit.

哪些人处于风险中翻译中…

WordPress websites utilizing the Like-it plugin, particularly those with site administrators who are susceptible to social engineering attacks or phishing attempts, are at risk. Shared hosting environments where multiple websites share the same server resources may also be affected if one site is compromised.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r 'likeit_conf(' /var/www/html/wp-content/plugins/like-it/

• generic web:

curl -I https://example.com/wp-content/plugins/like-it/ | grep -i 'X-Frame-Options'

• wordpress / composer / npm:

wp plugin list | grep like-it

攻击时间线

2025-11-18Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

0.03% (7% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响partial

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope: 已改变 — 攻击可以超出脆弱组件，影响其他系统。
Confidentiality: 低 — 可访问部分数据。
Integrity: 低 — 攻击者可修改部分数据，影响有限。
Availability: 无 — 无可用性影响。

受影响的软件

组件like-it

供应商wordfence

影响范围修复版本

0 – 2.22.2.1

弱点分类 (CWE)

CWE-352

时间线

已保留2025-10-28
发布日期2025-11-18
修改日期2026-04-08
EPSS 更新日期2026-03-23

未修复 — 披露已187天

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2025-12404 is to upgrade the Like-it plugin to a version containing the security fix. If upgrading is not immediately feasible, consider implementing stricter CSRF protection measures at the web server level, such as implementing double-submit cookies or utilizing a Web Application Firewall (WAF) with CSRF protection rules. Regularly review WordPress plugin configurations and ensure that only trusted plugins are installed and kept up-to-date. After upgrading, confirm the fix by attempting to trigger the vulnerable likeit_conf() function with a forged request and verifying that the action is blocked.

修复方法

没有已知的补丁可用。请深入审查漏洞的详细信息，并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-12404 — XSS in Like-it WordPress Plugin?

CVE-2025-12404 is a Cross-Site Scripting vulnerability in the Like-it WordPress plugin, allowing attackers to inject malicious scripts via forged requests due to missing nonce validation.

Am I affected by CVE-2025-12404 in Like-it WordPress Plugin?

You are affected if your WordPress site uses the Like-it plugin in versions 0.0.0 through 2.2. Upgrade to a patched version to resolve the vulnerability.

How do I fix CVE-2025-12404 in Like-it WordPress Plugin?

The recommended fix is to upgrade the Like-it plugin to a version containing the security patch. If upgrading is not possible, implement stricter CSRF protection measures.

Is CVE-2025-12404 being actively exploited?

There is no confirmed active exploitation of CVE-2025-12404 at this time, but it is crucial to apply the patch to prevent potential future attacks.

Where can I find the official Like-it advisory for CVE-2025-12404?

Please refer to the WordPress plugin repository or the Like-it plugin developer's website for the official advisory and update information.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE