CVE-2024-9649: 
WordPress vulnerability analysis and mitigation

The WP ULike – The Ultimate Engagement Toolkit for WordPress plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 4.7.4. The vulnerability was discovered and disclosed on October 15, 2024, affecting the WordPress plugin's engagement tracking functionality (NVD).

The vulnerability stems from missing or incorrect nonce validation in the wp_ulike_delete_history_api() function. This security flaw has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating a network-accessible vulnerability requiring user interaction (NVD).

When exploited, this vulnerability allows unauthenticated attackers to delete engagement records from the website's database by tricking site administrators into performing specific actions, such as clicking on a malicious link. This can lead to the loss of legitimate engagement data (NVD).

Site administrators running affected versions of the WP ULike plugin should update to a version newer than 4.7.4 when available. Until then, administrators should exercise caution when clicking on links, especially those related to the WP ULike plugin's functionality (NVD).