Does WP ULike – Like & Dislike Buttons for Engagement and Feedback have any unpatched vulnerabilities?

Yes — WP ULike – Like & Dislike Buttons for Engagement and Feedback currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP ULike – Like & Dislike Buttons for Engagement and Feedback compatible with WordPress 6.9.4?

According to WordPress.org data, WP ULike – Like & Dislike Buttons for Engagement and Feedback 5.0.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WP ULike – Like & Dislike Buttons for Engagement and Feedback compatible with PHP 7.2.5+?

WP ULike – Like & Dislike Buttons for Engagement and Feedback requires PHP 7.2.5 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

WP ULike – Like & Dislike Buttons for Engagement and Feedback Security & Risk Analysis

wordpress.org/plugins/wp-ulike

Voting buttons that let your visitors give instant feedback. See what your audience loves with no registration, no friction, just one click.

70K active installs v5.0.2 PHP 7.2.5+ WP 6.0+ Updated Mar 5, 2026

analyticsengagementfeedbacklikemarketing

C · Use Caution

CVEs total17

Unpatched1

Last CVEMar 10, 2026

Plugin page Download

Safety Verdict

Is WP ULike – Like & Dislike Buttons for Engagement and Feedback Safe to Use in 2026?

Use With Caution

Score 60/100

WP ULike – Like & Dislike Buttons for Engagement and Feedback has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

17 known CVEs 1 unpatched Last CVE: Mar 10, 2026Updated 29d ago

Risk Assessment

The wp-ulike plugin, version 5.0.2, presents a mixed security posture. While it demonstrates good practices like using prepared statements for the vast majority of SQL queries and a decent percentage of output escaping, several concerns warrant attention. The presence of unprotected AJAX handlers and a REST API route without permission callbacks creates immediate attack vectors. The plugin's history of 17 known CVEs, including 3 high-severity vulnerabilities and one currently unpatched, is a significant red flag. Common vulnerability types such as Authorization Bypass, CSRF, XSS, SQL Injection, Race Conditions, and Missing Authorization suggest recurring security weaknesses that have not been fully remediated. This historical pattern indicates a need for more robust security development and auditing processes.

Key Concerns

Unprotected AJAX handlers
REST API route without permission callbacks
Currently unpatched CVE
High-severity known CVEs
Recurring vulnerability types (Auth bypass, CSRF, XSS, SQLi)
Moderate output escaping percentage

Vulnerabilities

WP ULike – Like & Dislike Buttons for Engagement and Feedback Security Vulnerabilities

CVEs by Year

2 CVEs in 2018

2018

1 CVE in 2022

2022

1 CVE in 2023

2023

8 CVEs in 2024

2024

3 CVEs in 2025

2025

2 CVEs in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

High

Medium

17 total CVEs

CVE-2026-2358medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute

Mar 10, 2026Unpatched

CVE-2026-0909medium · 5.3Authorization Bypass Through User-Controlled Key

WP ULike <= 4.8.3.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Log Deletion via 'id' Parameter

Feb 2, 2026 Patched in 5.0.0 (1d)

CVE-2025-32259medium · 5.3Missing Authorization

WP ULike <= 4.7.9.1 - Missing Authorization to Unauthenticated Content Spoofing

Apr 4, 2025 Patched in 4.7.10 (130d)

CVE-2024-12770medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP ULike <= 4.7.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jan 23, 2025 Patched in 4.7.6 (30d)

CVE-2025-22738medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP ULike <= 4.7.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jan 14, 2025 Patched in 4.7.7 (9d)

CVE-2024-9649medium · 4.3Cross-Site Request Forgery (CSRF)

WP ULike <= 4.7.4 - Cross-Site Request Forgery to Statistic Deletion

Oct 15, 2024 Patched in 4.7.5 (464d)

CVE-2024-7879medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP ULike <= 4.7.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 15, 2024 Patched in 4.7.5 (32d)

CVE-2024-7878medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP ULike <= 4.7.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Sep 4, 2024 Patched in 4.7.4 (31d)

CVE-2024-6792medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP ULike 4.7.1 - 4.7.2 - Authenticated (Subscriber+) Stored-Cross-Site Scripting

Aug 16, 2024 Patched in 4.7.2.1 (28d)

CVE-2024-6094medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP ULike <= 4.7.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jul 3, 2024 Patched in 4.7.1 (31d)

CVE-2024-1572medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP ULike <= 4.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Apr 26, 2024 Patched in 4.7.0 (7d)

CVE-2024-1797high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP ULike – Most Advanced WordPress Marketing Toolkit <= 4.6.9 - Authenticated (Contributor+) SQL Injection via Shortcodes

Apr 26, 2024 Patched in 4.7.0 (7d)

CVE-2024-1759medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP ULike <= 4.6.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Apr 26, 2024 Patched in 4.7.0 (8d)

CVE-2023-45640medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP ULike <= 4.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Oct 12, 2023 Patched in 4.6.9 (103d)

CVE-2022-45842medium · 4.3Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

WP ULike <= 4.6.4 - Race Condition

Nov 24, 2022 Patched in 4.6.5 (425d)

CVE-2018-1000508high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP ULike < 3.2 - Cross-Site Scripting

May 14, 2018 Patched in 3.2 (2080d)

CVE-2018-1000511high · 7.5Missing Authorization

WP ULike < 3.2 - Missing Authorization

May 14, 2018 Patched in 3.2 (2080d)

Code Analysis

Analyzed Mar 16, 2026

WP ULike – Like & Dislike Buttons for Engagement and Feedback Code Analysis

Dangerous Functions

Raw SQL Queries

122 prepared

Unescaped Output

375

766 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

95% prepared129 total queries

Output Escaping

67% escaped1141 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

ulf_export (admin\settings\functions\actions.php:62)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

5 unprotected

WP ULike – Like & Dislike Buttons for Engagement and Feedback Attack Surface

Entry Points25

Unprotected5

AJAX Handlers 21

authwp_ajax_wp_ulike_dismissed_noticeadmin\admin-ajax.php:33

authwp_ajax_wp_ulike_stats_apiadmin\admin-ajax.php:49

authwp_ajax_wp_ulike_history_apiadmin\admin-ajax.php:71

authwp_ajax_wp_ulike_delete_history_apiadmin\admin-ajax.php:99

authwp_ajax_wp_ulike_localizationadmin\admin-ajax.php:272

authwp_ajax_wp_ulike_schema_apiadmin\admin-ajax.php:293

authwp_ajax_wp_ulike_settings_apiadmin\admin-ajax.php:314

authwp_ajax_wp_ulike_save_settings_apiadmin\admin-ajax.php:348

authwp_ajax_wp_ulike_customizer_schema_apiadmin\admin-ajax.php:370

authwp_ajax_wp_ulike_customizer_values_apiadmin\admin-ajax.php:391

authwp_ajax_wp_ulike_save_customizer_apiadmin\admin-ajax.php:419

authwp_ajax_wp_ulike_customizer_preview_apiadmin\admin-ajax.php:439

authwp_ajax_ulf-get-iconsadmin\settings\functions\actions.php:50

authwp_ajax_ulf-exportadmin\settings\functions\actions.php:87

authwp_ajax_ulf-importadmin\settings\functions\actions.php:123

authwp_ajax_ulf-resetadmin\settings\functions\actions.php:150

authwp_ajax_ulf-chosenadmin\settings\functions\actions.php:189

authwp_ajax_wp_ulike_processincludes\hooks\frontend-ajax.php:28

noprivwp_ajax_wp_ulike_processincludes\hooks\frontend-ajax.php:29

authwp_ajax_wp_ulike_get_likersincludes\hooks\frontend-ajax.php:38

noprivwp_ajax_wp_ulike_get_likersincludes\hooks\frontend-ajax.php:39

REST API Routes 1

GET/wp-json/wp-ulike/v1/templatesincludes\blocks\index.php:379

Shortcodes 3

[wp_ulike] includes\hooks\shortcodes.php:83

[wp_ulike_counter] includes\hooks\shortcodes.php:152

[wp_ulike_likers_box] includes\hooks\shortcodes.php:217

WordPress Hooks 117

filteradmin_footer_textadmin\admin-hooks.php:41

filterget_avataradmin\admin-hooks.php:53

actionwp_logoutadmin\admin-hooks.php:67

filterwp_ulike_menu_badge_countadmin\admin-hooks.php:82

filterwp_ulike_admin_sub_menu_titleadmin\admin-hooks.php:99

actionadmin_noticesadmin\admin-hooks.php:294

filterwp_ulike_admin_pagesadmin\admin-hooks.php:325

filterwp_ulike_admin_notices_instancesadmin\admin-hooks.php:337

actionmanage_posts_custom_columnadmin\admin-hooks.php:355

actionmanage_pages_custom_columnadmin\admin-hooks.php:356

filtermanage_posts_columnsadmin\admin-hooks.php:385

filtermanage_pages_columnsadmin\admin-hooks.php:386

actionpre_get_postsadmin\admin-hooks.php:416

filterfound_postsadmin\admin-hooks.php:439

filtermanage_edit-comments_columnsadmin\admin-hooks.php:454

filtermanage_edit-comments_sortable_columnsadmin\admin-hooks.php:469

filtermanage_comments_custom_columnadmin\admin-hooks.php:484

actionpre_get_commentsadmin\admin-hooks.php:512

filterwp_ulike_panel_customizationadmin\admin-hooks.php:545

actionwp_ulike_settings_savedadmin\admin-hooks.php:570

actionwp_ulike_customizer_savedadmin\admin-hooks.php:572

actionwp_ulike_customizer_savedadmin\admin-hooks.php:590

actionadmin_enqueue_scriptsadmin\classes\class-wp-ulike-admin-assets.php:28

actionadmin_menuadmin\classes\class-wp-ulike-admin-pages.php:54

actionwp_enqueue_scriptsadmin\settings\classes\abstract.class.php:21

actionadmin_menuadmin\settings\classes\admin-options.class.php:107

actionadmin_bar_menuadmin\settings\classes\admin-options.class.php:108

actionnetwork_admin_menuadmin\settings\classes\admin-options.class.php:112

filteradmin_footer_textadmin\settings\classes\admin-options.class.php:432

actionadd_meta_boxes_commentadmin\settings\classes\comment-options.class.php:38

actionedit_commentadmin\settings\classes\comment-options.class.php:39

actioncustomize_registeradmin\settings\classes\customize-options.class.php:44

actioncustomize_save_afteradmin\settings\classes\customize-options.class.php:45

actionwp_enqueue_scriptsadmin\settings\classes\customize-options.class.php:49

actionadd_meta_boxesadmin\settings\classes\metabox-options.class.php:50

actionsave_postadmin\settings\classes\metabox-options.class.php:51

actionedit_attachmentadmin\settings\classes\metabox-options.class.php:52

actionwp_nav_menu_item_custom_fieldsadmin\settings\classes\nav-menu-options.class.php:32

actionwp_update_nav_menu_itemadmin\settings\classes\nav-menu-options.class.php:33

filterwp_edit_nav_menu_walkeradmin\settings\classes\nav-menu-options.class.php:35

actionadmin_initadmin\settings\classes\profile-options.class.php:32

actionshow_user_profileadmin\settings\classes\profile-options.class.php:44

actionedit_user_profileadmin\settings\classes\profile-options.class.php:45

actionpersonal_options_updateadmin\settings\classes\profile-options.class.php:47

actionedit_user_profile_updateadmin\settings\classes\profile-options.class.php:48

actionafter_setup_themeadmin\settings\classes\setup.class.php:73

actioninitadmin\settings\classes\setup.class.php:74

actionswitch_themeadmin\settings\classes\setup.class.php:75

actionadmin_enqueue_scriptsadmin\settings\classes\setup.class.php:76

actionadmin_footeradmin\settings\classes\shortcode-options.class.php:47

actioncustomize_controls_print_footer_scriptsadmin\settings\classes\shortcode-options.class.php:48

actionelementor/editor/before_enqueue_scriptsadmin\settings\classes\shortcode-options.class.php:59

actionelementor/editor/footeradmin\settings\classes\shortcode-options.class.php:60

actionelementor/editor/footeradmin\settings\classes\shortcode-options.class.php:61

actionmedia_buttonsadmin\settings\classes\shortcode-options.class.php:264

actionadmin_initadmin\settings\classes\taxonomy-options.class.php:41

actionadmin_footeradmin\settings\fields\icon\icon.php:41

actioncustomize_controls_print_footer_scriptsadmin\settings\fields\icon\icon.php:42

actionadmin_print_footer_scriptsadmin\settings\fields\link\link.php:65

actionprint_default_editor_scriptsadmin\settings\fields\wp_editor\wp_editor.php:62

actionwpmu_new_blogincludes\action.php:33

filterblock_categories_allincludes\blocks\index.php:27

actioninitincludes\blocks\index.php:99

actionenqueue_block_assetsincludes\blocks\index.php:254

actionenqueue_block_editor_assetsincludes\blocks\index.php:306

actionwp_enqueue_scriptsincludes\blocks\index.php:325

actionrest_api_initincludes\blocks\index.php:385

actionwp_enqueue_scriptsincludes\classes\class-wp-ulike-frontend-assets.php:28

actionwp_ulike_after_processincludes\classes\class-wp-ulike-mycred.php:61

filtersafe_style_cssincludes\functions\general.php:832

filterthe_contentincludes\hooks\general.php:56

filterthe_excerptincludes\hooks\general.php:57

filtercomment_textincludes\hooks\general.php:115

actionwidgets_initincludes\hooks\general.php:133

actionwp_ulike_inside_templateincludes\hooks\general.php:168

actionwp_ulike_inside_templateincludes\hooks\general.php:203

actionwp_ulike_inside_templateincludes\hooks\general.php:238

actionplugins_loadedincludes\hooks\general.php:252

actionwp_ulike_loadedincludes\hooks\general.php:285

actionwp_footerincludes\hooks\general.php:310

actionbefore_delete_postincludes\hooks\general.php:353

actiondeleted_commentincludes\hooks\general.php:366

actionbp_activity_deleteincludes\hooks\general.php:382

actionbp_activity_entry_metaincludes\hooks\third-party.php:58

actionbp_activity_entry_contentincludes\hooks\third-party.php:59

filterbp_get_activity_content_bodyincludes\hooks\third-party.php:72

actionbp_nouveau_get_single_activity_contentincludes\hooks\third-party.php:83

filterbp_activity_comment_contentincludes\hooks\third-party.php:104

actionbp_activity_comment_optionsincludes\hooks\third-party.php:122

actionbp_register_activity_actionsincludes\hooks\third-party.php:140

actionbp_activity_filter_optionsincludes\hooks\third-party.php:154

actionbp_member_activity_filter_optionsincludes\hooks\third-party.php:155

actionbp_group_activity_filter_optionsincludes\hooks\third-party.php:156

filterbp_ajax_querystringincludes\hooks\third-party.php:196

filterbp_notifications_get_registered_componentsincludes\hooks\third-party.php:217

actionwp_ulike_after_processincludes\hooks\third-party.php:334

filterbp_notifications_get_notifications_for_userincludes\hooks\third-party.php:425

actionbp_nouveau_notifications_init_filtersincludes\hooks\third-party.php:465

actionwp_loadedincludes\hooks\third-party.php:498

actionbbp_theme_before_reply_contentincludes\hooks\third-party.php:557

actionbbp_theme_after_reply_contentincludes\hooks\third-party.php:558

actionbbp_theme_before_topic_contentincludes\hooks\third-party.php:559

actionbbp_theme_after_topic_contentincludes\hooks\third-party.php:560

filterbbp_get_topic_contentincludes\hooks\third-party.php:604

actionwp_ulike_after_processincludes\hooks\third-party.php:633

filtermycred_setup_hooksincludes\hooks\third-party.php:657

filtermycred_all_referencesincludes\hooks\third-party.php:674

filterum_profile_tabsincludes\hooks\third-party.php:700

actionum_profile_content_wp-ulike-posts_defaultincludes\hooks\third-party.php:756

actionum_profile_content_wp-ulike-comments_defaultincludes\hooks\third-party.php:814

actionplugins_loadedincludes\plugin.php:37

actionactivated_pluginincludes\plugin.php:40

actionadmin_initincludes\pro.php:29

actionadmin_noticesincludes\pro.php:31

actionadmin_noticeswp-ulike.php:64

actionadmin_noticeswp-ulike.php:66

actionadmin_noticeswp-ulike.php:70

Maintenance & Trust

WP ULike – Like & Dislike Buttons for Engagement and Feedback Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 5, 2026

PHP min version7.2.5

Downloads2.4M

Community Trust

Rating96/100

Number of ratings276

Active installs70K

Alternatives

WP ULike – Like & Dislike Buttons for Engagement and Feedback Alternatives

Pinpoll

pinpoll

Engage with your audience.

40 1 unpatched

DigitalPilot

digitalpilot

100

DigitalPilot is a powerful website analytics tool that allows you to identify the companies and businesses visiting your website.

0 No CVEs

HubSpot All-In-One Marketing – Forms, Popups, Live Chat

leadin

The CRM, Sales, and Marketing WordPress plugin to grow your business better. Capture and engage web visitors with free live chat, forms, CRM, email ma …

200K 2 CVEs

UserFeedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds

userfeedback-lite

Ultimate user feedback plugin to ask questions, surveys, polls, from your website in seconds

200K 7 CVEs

Klaviyo

klaviyo

Klaviyo for WooCommerce

100K 2 CVEs

Developer Profile

WP ULike – Like & Dislike Buttons for Engagement and Feedback Developer Profile

Alimir

4 plugins · 70K total installs

trust score

Avg Security Score

74/100

Avg Patch Time

342 days

View full developer profile

Detection Fingerprints

How We Detect WP ULike – Like & Dislike Buttons for Engagement and Feedback

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-ulike/assets/css/wp-ulike-frontend.css/wp-content/plugins/wp-ulike/assets/css/wp-ulike-general.css/wp-content/plugins/wp-ulike/assets/js/wp-ulike-frontend.js/wp-content/plugins/wp-ulike/assets/js/wp-ulike-general.js/wp-content/plugins/wp-ulike/admin/assets/css/admin.css/wp-content/plugins/wp-ulike/admin/assets/css/plugins.css/wp-content/plugins/wp-ulike/admin/includes/statistics/main.css/wp-content/plugins/wp-ulike/admin/includes/statistics/main.js+2 more

Script Paths

/wp-content/plugins/wp-ulike/assets/js/wp-ulike-frontend.js/wp-content/plugins/wp-ulike/assets/js/wp-ulike-general.js/wp-content/plugins/wp-ulike/admin/includes/statistics/main.js/wp-content/plugins/wp-ulike/admin/includes/optiwich/optiwich.umd.js

Version Parameters

wp-ulike/assets/css/wp-ulike-frontend.css?ver=wp-ulike/assets/css/wp-ulike-general.css?ver=wp-ulike/assets/js/wp-ulike-frontend.js?ver=wp-ulike/assets/js/wp-ulike-general.js?ver=wp-ulike-admin?ver=wp-ulike-admin-plugins?ver=wp_ulike_admin_react?ver=wp-ulike-optiwich?ver=

HTML / DOM Fingerprints

CSS Classes

wp_ulike_btnwp_ulike_btn_iconwp_ulike_is_likedwp_ulike_likers_countwp_ulike_general_loop_buttonwp_ulike_customize_buttonswp_ulike_optiwich_btn_wrapperwp_ulike_optiwich_setting_form

HTML Comments

+20 more

Data Attributes

data-ulike-iddata-ulike-targetdata-ulike-typedata-ulike-groupdata-ulike-actiondata-ulike-status+18 more

JS Globals

WP_Ulike_SettingswpUlikeFrontendwpUlikeStatsAppConfigOptiwichAppConfigwpUlikeAdmin

REST Endpoints

/wp-json/wp-ulike/v1/vote/wp-json/wp-ulike/v1/get_likers

Shortcode Output

[wp_ulike][wp_ulike button_icon=

FAQ