Key Information Vulnerability Description Vulnerability Name: WP Ulike < 4.7.6 - Admin+ Stored XSS Description: The plugin fails to sanitize and escape certain settings, allowing high-privilege users (such as administrators) to perform stored cross-site scripting (XSS) attacks, even when the capability is disabled in a multisite setup. Affected Plugin Plugin Name: wp-ulike Fixed Version: 4.7.6 References CVE ID: CVE-2024-12770 URL: https://research.cleantalk.org/cve-2024-12770 Classification Type: XSS OWASP Top 10: A7: Cross-Site Scripting (XSS) CWE ID: CWE-79 CVSS Score: 3.5 (Low) Additional Information Original Researcher: Dmitriy Ignatyev Submitter: Dmitriy Ignatyev Submitter Website: https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/ Verification Status: Yes WPVDB ID: e21f6a4e-f385-411b-8d91-0f38f9e6cdd3 Timeline Public Release Date: 2024-11-19 Added Date: 2025-01-23 Last Updated Date: 2025-02-12 Related Vulnerabilities Gutena Kit – Gutenberg Blocks and Templates <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting WP Logs Book <= 1.0.1 - Unauthenticated Stored XSS WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS) ARPrice <= 4.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Advanced Woo Search < 3.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via aws_search_terms Shortcode