WP ULike Insecure Direct Object Reference Vulnerability Allowing Arbitrary Log Deletion

A vulnerability exists in the WP ULike plugin for WordPress, affecting all versions up to and including 4.8.3.1. The issue is an Insecure Direct Object Reference (IDOR) that allows authenticated users with Subscriber-level access and above (and the 'stats' capability) to delete log entries belonging to other users. This vulnerability arises because the 'wp_ulike_delete_history_api' AJAX action does not properly verify ownership of the log entries being deleted, allowing misuse of the 'id' parameter to target arbitrary logs.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of log entries, potentially disrupting user activity records and engagement analytics.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access (and the 'stats' capability) can send a request to the 'wp_ulike_delete_history_api' AJAX action. The request must include an 'id' parameter that specifies the log entry to be deleted. Since the action does not verify that the log entry belongs to the current user, this allows for deletion of logs from other users.

Remediation

Users are advised to update the WP ULike plugin to version 5.0.0 or later, where this vulnerability has been patched.