CVE-2025-5287: 
WordPress vulnerability analysis and mitigation

The Likes and Dislikes Plugin for WordPress contains a SQL Injection vulnerability (CVE-2025-5287) discovered and disclosed on May 27, 2025. The vulnerability affects all versions up to and including 1.0.0 and is related to insufficient escaping of the 'post' parameter and inadequate SQL query preparation. This security flaw has been assigned a CVSS v3.1 base score of 7.5 (HIGH) (Wiz, NVD).

The vulnerability is classified as CWE-89 (SQL Injection) and allows unauthenticated attackers to manipulate SQL queries by exploiting insufficient input validation. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and primarily impacts confidentiality (NVD, Wiz).

The vulnerability enables unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to unauthorized access and extraction of sensitive information from the database. This poses a significant risk to data confidentiality and the overall security of affected WordPress installations (NVD).

Users are advised to update to a version newer than 1.0.0 if available. If an update is not possible, it is recommended to remove or disable the plugin until a patch is available (Wiz).