CVE-2024-9648 in WP ULike Pro Plugin
Summary
by MITRE • 08/28/2025
The WP ULike Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the WP_Ulike_Pro_File_Uploader class in all versions up to, and including, 1.9.3. This makes it possible for unauthenticated attackers to upload limited arbitrary files like .php2, .php6, .php7, .phps, .pht, .phtm, .pgif, .shtml, .phar, .inc, .hphp, .ctp, .module, .html, .svg on the affected site's server which may make make other attacks like Cross-Site Scripting possible. Only versions up to 1.8.7 were confirmed vulnerable, however, the earliest tested version for a patch we have access to is 1.9.4, so we are considering 1.9.4 the patched version.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/28/2025
The WP ULike Pro plugin represents a significant security vulnerability in the WordPress ecosystem through its improper file type validation mechanisms. This flaw exists within the WP_Ulike_Pro_File_Uploader class, which handles file upload operations for the plugin. The vulnerability affects all versions up to and including 1.9.3, making it a widespread concern for WordPress administrators who have not yet updated their installations. The issue stems from inadequate input sanitization that fails to properly validate file extensions and content, allowing attackers to bypass security measures designed to prevent malicious file uploads. The vulnerability is particularly concerning because it affects unauthenticated attackers, meaning anyone with access to the affected website can exploit this weakness without requiring valid credentials.
The technical implementation of this vulnerability demonstrates a classic case of insufficient validation controls that aligns with CWE-434, which describes "Unrestricted Upload of File with Dangerous Type." The plugin's file upload functionality accepts a broad range of file extensions that could potentially be executed on the web server, including various php variants such as .php2, .php6, .php7, .phps, .pht, .phtm, .pgif, .shtml, .phar, .inc, .hphp, .ctp, .module, .html, and .svg. This extensive list of allowed extensions creates multiple attack vectors since many of these file types can be interpreted by web servers as executable code or can contain embedded malicious content. The vulnerability allows for the upload of files that could be executed as PHP scripts, which provides attackers with a pathway to execute arbitrary code on the affected server. The .phar extension is particularly dangerous as it can be used for deserialization attacks, while the various php extensions could be used to establish persistent backdoors or to execute malicious commands.
The operational impact of this vulnerability extends beyond simple file upload capabilities and creates a multi-layered threat landscape for affected systems. Once an attacker successfully uploads a malicious file, they can leverage this initial compromise to perform further attacks including cross-site scripting exploits, as noted in the vulnerability description. The ability to upload .svg files presents additional risks since these can contain embedded javascript code that can be executed when the file is rendered by web browsers. The vulnerability also creates opportunities for attackers to establish persistent access through the upload of web shells or other malicious scripts that can be used to maintain control over the compromised system. The fact that this affects unauthenticated users means that the attack surface is significantly larger than typical authenticated vulnerabilities, potentially affecting any website that has not updated to version 1.9.4 or later.
Security mitigations for this vulnerability must address both the immediate file upload restrictions and the broader security posture of WordPress installations. The primary remediation involves updating to version 1.9.4 or later, which contains the necessary patches to address the file validation issues. Organizations should implement comprehensive file upload validation that includes strict extension filtering, content type verification, and proper file analysis to prevent the execution of potentially malicious code. The ATT&CK framework categorizes this type of vulnerability under T1190 - Exploit Public-Facing Application, and T1059 - Command and Scripting Interpreter, highlighting the need for both application-level security controls and network monitoring. Additional protective measures should include implementing web application firewalls that can detect and block suspicious file upload patterns, restricting file upload capabilities to authenticated users only where possible, and conducting regular security audits of WordPress plugins to identify similar vulnerabilities. Organizations should also consider implementing proper file access controls and ensuring that uploaded files are stored outside of the web root directory to prevent direct execution of uploaded content. The vulnerability underscores the importance of maintaining current plugin versions and implementing robust security practices across all WordPress components to prevent similar issues from compromising system integrity.