CVE-2026-0909 Overview
The WP ULike plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 4.8.3.1. The flaw exists in the wp_ulike_delete_history_api AJAX action, which fails to verify that the log entry being deleted belongs to the current user. This authorization bypass allows authenticated attackers with Subscriber-level access or above to delete arbitrary log entries belonging to other users by manipulating the id parameter.
Critical Impact
Authenticated attackers with minimal privileges can delete arbitrary user log entries, potentially disrupting site analytics, removing voting/engagement history, and undermining data integrity across the WordPress installation.
Affected Products
- WP ULike plugin for WordPress versions up to and including 4.8.3.1
- WordPress installations with WP ULike plugin where the 'stats' capability is assigned to Subscriber-level roles or above
Discovery Timeline
- February 3, 2026 - CVE-2026-0909 published to NVD
- February 3, 2026 - Last updated in NVD database
Technical Details for CVE-2026-0909
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key. The core issue stems from the wp_ulike_delete_history_api AJAX handler accepting user-supplied log entry IDs without validating ownership. When a user submits a deletion request, the function processes the id parameter directly without confirming that the requesting user owns the targeted log entry.
The attack requires network access and low-privilege authentication (Subscriber-level), but once these conditions are met, the exploitation is straightforward. The vulnerability does not compromise confidentiality or availability directly but allows unauthorized modification of data integrity by enabling deletion of records belonging to other users.
Root Cause
The root cause is improper authorization validation in the wp_ulike_delete_history_api AJAX action handler. The vulnerable code at line 94 of admin/admin-ajax.php processes deletion requests based solely on the provided id parameter without implementing object-level authorization checks to verify the requesting user has permission to delete the specified log entry. This is a classic Insecure Direct Object Reference pattern where user-controlled input directly references internal objects without proper access control enforcement.
Attack Vector
The attack is executed via a network-based vector targeting the WordPress AJAX endpoint. An authenticated attacker with Subscriber-level access (provided they have the 'stats' capability assigned to their role) can craft malicious AJAX requests to the wp_ulike_delete_history_api action. By iterating through or guessing valid log entry IDs in the id parameter, the attacker can systematically delete engagement records belonging to any user on the system.
The attack flow involves:
- Authenticating to WordPress with a Subscriber-level account that has the 'stats' capability
- Sending AJAX POST requests to the wp_ulike_delete_history_api action
- Manipulating the id parameter to reference log entries belonging to other users
- Successfully deleting arbitrary log entries without ownership validation
Detection Methods for CVE-2026-0909
Indicators of Compromise
- Unexpected deletions in WP ULike log tables, particularly entries belonging to users other than the one authenticated
- AJAX requests to wp_ulike_delete_history_api action from accounts with minimal privileges
- Patterns of sequential id parameter values in deletion requests indicating enumeration attempts
- Unusual spikes in deletion activity from Subscriber-level accounts
Detection Strategies
- Monitor WordPress AJAX endpoints for unusual request patterns targeting the wp_ulike_delete_history_api action
- Implement logging for all delete operations in the WP ULike plugin to track which users are deleting which records
- Configure Web Application Firewall (WAF) rules to detect and alert on potential IDOR exploitation patterns
- Audit user role capabilities to identify accounts with the 'stats' capability that should not have deletion permissions
Monitoring Recommendations
- Enable detailed WordPress audit logging to capture all AJAX requests and their associated user contexts
- Set up alerts for bulk deletion operations or rapid sequential deletion requests from low-privilege accounts
- Regularly review WP ULike activity logs for anomalous patterns or missing expected entries
- Implement database-level monitoring for DELETE operations on WP ULike tables
How to Mitigate CVE-2026-0909
Immediate Actions Required
- Update the WP ULike plugin to the latest patched version immediately
- Review and restrict the 'stats' capability assignment to only trusted administrative roles
- Audit recent deletion activity in WP ULike logs to identify potential exploitation
- Consider temporarily disabling the WP ULike deletion functionality if an immediate update is not possible
Patch Information
A security patch has been released to address this vulnerability. The fix adds proper ownership validation to the wp_ulike_delete_history_api AJAX action to ensure users can only delete their own log entries. For technical details on the code changes, see the WordPress Changeset Update. Additional vulnerability information is available in the Wordfence Vulnerability Report.
Workarounds
- Remove the 'stats' capability from Subscriber-level and other non-administrative user roles until the plugin can be updated
- Implement a custom code snippet or security plugin to intercept and validate AJAX requests to the vulnerable endpoint
- Use a Web Application Firewall to block or monitor requests to the wp_ulike_delete_history_api action from non-administrative users
- Temporarily disable the WP ULike plugin if the functionality is not business-critical until a patch can be applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
