Exploitable SQL Injection in Likes Dislikes Plugin//Published on 2026-01-30//CVE-2025-4840

WP-FIREWALL SECURITY TEAM

Likes and Dislikes Plugin Vulnerability

Plugin Name WordPress Likes and Dislikes Plugin
Type of Vulnerability SQL Injection
CVE Number CVE-2025-4840
Urgency Critical
CVE Publish Date 2026-01-30
Source URL CVE-2025-4840

Urgent Security Advisory: Unauthenticated SQL Injection in “Likes and Dislikes” WordPress Plugin (<= 1.0.0)

Summary

  • A critical SQL Injection vulnerability (CVE-2025-4840, CVSS 9.3) has been disclosed in the “Likes and Dislikes” WordPress plugin (versions <= 1.0.0).
  • The flaw allows unauthenticated attackers to send crafted requests that can cause the plugin to execute injected SQL statements against your WordPress database.
  • Impact ranges from data exposure (user data, content, tokens) to partial database modification and potential path to full compromise.
  • At the time of disclosure there is no official vendor patch available for affected versions. Immediate mitigations and containment are critical.

As the WP-Firewall security team, we treat vulnerabilities like this with the highest urgency. Below we provide a real-world, practical guide: what this vulnerability means, how attackers can exploit it, how to identify if your site is affected, and the concrete steps you should take right now to protect your sites and recover if you suspect a compromise.

1. What is SQL Injection and why this matters

SQL Injection (SQLi) is a class of vulnerability where a web application accepts unsanitized input and uses it inside SQL queries. When attackers can influence SQL query structure, they can read, modify, or delete data from the database. With an unauthenticated SQLi (no login required), the attacker does not need valid WordPress credentials — they can target your site from anywhere.

This particular vulnerability is rated CVSS 9.3 — high severity — because:

  • It is remotely exploitable over the web (no network access restrictions).
  • No authentication is required.
  • The vulnerability allows direct interactions with the database, potentially exposing sensitive data (user accounts, emails, hashed passwords, session tokens) and allowing limited modifications.

If unmitigated, attackers can:

  • Exfiltrate user data (emails, usernames, stored metadata).
  • Create backdoors or admin accounts via SQL modifications.
  • Corrupt content or perform destructive operations.
  • Use revealed database information to pivot to other systems.

2. What we know about this specific vulnerability

  • Affected plugin: Likes and Dislikes (WordPress plugin).
  • Affected versions: <= 1.0.0.
  • Vulnerability type: Unauthenticated SQL Injection.
  • CVE: CVE-2025-4840.
  • Severity: High (CVSS 9.3).
  • Status at disclosure: No official vendor fix available.

The exact vulnerable endpoint and parameter(s) are part of the technical disclosure. We will not reproduce exploit code here. Instead, we provide detection and mitigation guidance so you can act without introducing additional risk.

3. Immediate risk assessment for site owners

Ask yourself:

  • Do you have the Likes and Dislikes plugin installed, and is its version <= 1.0.0?
  • Is the plugin active on your site?
  • Do you host multiple WordPress sites with shared credentials or shared databases?

If the plugin is installed and active and not patched, your site is at immediate risk. Because this is an unauthenticated vulnerability, exposure is high: attackers can probe sites en masse and quickly weaponize a proof-of-concept.

Sites with the plugin installed on shared hosting or with other weak controls are at higher risk of a broader compromise (e.g., lateral movement to other accounts on the same server, or theft of sensitive data).

4. Immediate action checklist (first 60–120 minutes)

If you host affected sites, take these urgent containment steps now.

  1. Identify affected sites
    • Check the WordPress plugin list for the plugin name and version.
    • From the server shell or wp-admin plugin list:
      • wp-cli: wp plugin list --format=csv | grep -i 'likes' -i
      • Or look in /wp-content/plugins/ for the plugin folder.
  2. If the plugin is active, deactivate it immediately
    • wp-admin: Plugins → deactivate the plugin.
    • wp-cli: run wp plugin deactivate <plugin-slug> (replace with actual plugin slug).
    • If you cannot access wp-admin, rename the plugin directory on the server:
      • mv wp-content/plugins/<plugin-folder> wp-content/plugins/<plugin-folder>.disabled
  3. Put the site into maintenance mode if possible
    • Prevent further automated scanning and reduce the risk while you investigate.
  4. Backup now (snapshot)
    • Take a full backup of files and database before making further changes.
    • If you have hosting-level snapshot capability, take one immediately.
    • Store the backup offline / outside the webroot.
  5. Isolate access and rotate keys
    • Change WordPress admin passwords and any related credentials (FTP/SFTP, hosting control panel).
    • Rotate database credentials — create a new DB user with a new password and update wp-config.php only after safe testing (see longer remediation section).
    • If you use SSH keys, ensure they are not compromised; rotate them if necessary.
  6. Monitor and block suspicious traffic
    • Review webserver logs for suspicious traffic targeting plugin endpoints (see Indicators, below).
    • Apply temporary WAF rules (virtual patch) to block common SQLi patterns targeting the plugin’s endpoints.
    • Block attacking IPs at the host firewall and WAF if a pattern is detected.
  7. Inform stakeholders
    • If you are managing client sites, notify your clients and brief them on the actions being taken.

These steps reduce the immediate attack surface and give you breathing room to investigate thoroughly.

5. How to detect exploitation: indicators of compromise (IoCs)

Attackers often leave traces. Look for these signals in logs, the database, and file system:

Webserver and application logs

  • Requests to plugin-related endpoints with long query strings or suspicious characters.
  • Requests containing SQL keywords (UNION, SELECT, INSERT, UPDATE, DROP) or SQL control sequences in unexpected places.
  • Unusual POST requests from remote IPs to endpoints that previously saw only legitimate traffic.

Database signs

  • New or modified users in wp_users (especially users with administrator privileges you did not create).
  • Unexpected entries in wp_options, wp_postmeta, wp_usermeta referencing unknown code or obfuscated strings.
  • Large SELECT queries from unexpected sources (if detailed DB logs are enabled).
  • Sudden changes to serialized option values.

Files and filesystem

  • New PHP files in /wp-content/uploads/, /wp-content/plugins/, or root with unusual names.
  • Modified core files (index.php, wp-config.php) or plugin files that you did not modify.
  • Webshell signatures or encoded payloads in files.

Typical attack patterns (for detection only — do not attempt to reproduce)

  • Requests with fragments like UNION SELECT, OR 1=1, or sleep(...) may indicate SQLi probing.
  • Requests with long encoded payloads, suspicious base64 strings, or many special characters.

Recommended detection queries

  • Search access logs for keywords: 
    grep -E "UNION|SELECT|sleep|benchmark|information_schema|OR 1=1" /var/log/apache2/access.log
  • Search WordPress database for recent admin users: 
    SELECT user_login, user_email, user_registered FROM wp_users ORDER BY user_registered DESC LIMIT 20;
  • List recently modified files: 
    find /var/www/html -type f -mtime -7 -print

    (adjust path and time).

If any of the above indicators look unusual, treat the site as potentially compromised and escalate to full incident response.

6. Longer-term remediation and recovery (next 24–72 hours)

If you confirmed the plugin was present and especially if you see IoCs, follow this recovery sequence.

  1. Keep the site isolated (maintenance mode, firewall rules).
  2. Preserve evidence
    • Keep backups and relevant logs untouched for investigation.
    • If you’ll involve a forensic team, do not overwrite logs.
  3. Rebuild or clean
    Option A — Rebuild from clean sources (recommended when compromise is confirmed):

    • Provision a fresh WordPress instance.
    • Use fresh database (or a clean restored DB from before the compromise).
    • Install only audited plugins and themes from official sources.
    • Restore content through exporting posts/media or by selectively restoring sanitized database entries.

    Option B — Clean in-place (higher risk, acceptable only for small, well-contained intrusions):

    • Remove suspected malicious files.
    • Replace core files with fresh copies from WordPress.org.
    • Reinstall plugins and themes from trusted sources or use fresh copies.
    • Ensure DB integrity and remove injected rows.
  4. Rotate all secrets and credentials
    • New database user + password, update wp-config.php.
    • New WordPress admin passwords and force password reset for all users.
    • Rotate any API keys, third-party integrations, and hosting panel credentials.
  5. Apply principle of least privilege
    • Ensure the DB user has only necessary privileges.
    • Harden file permissions (wp-content/uploads writable but others restricted).
    • Remove unused plugins and themes; keep all software up-to-date.
  6. Increase monitoring
    • Enable advanced logging and alerts (file integrity monitoring, login alerts).
    • Schedule regular malware scans.
    • Set up weekly security reports (if you have that capability through your security tools).
  7. Post-incident review
    • Determine root cause (confirm whether the plugin is the only cause or if other vulnerabilities were involved).
    • Document actions taken and plan for future prevention.
    • Communicate with affected users if required by law or policy (especially if user data was exfiltrated).

7. Preventive steps to reduce future risk

These are controls we recommend for all WordPress sites to reduce the chance of compromise from plugin vulnerabilities:

  • Inventory and reduce plugins: keep a minimal plugin footprint. Remove plugins that are inactive or not essential.
  • Patch management: adopt a regular patch cadence — test and apply plugin, theme, and core updates promptly.
  • Least privilege for DB user: use a database account with only the permissions WP needs. Avoid global privileges when possible.
  • File integrity monitoring: detect unexpected file changes early.
  • Restrict access to wp-admin: IP whitelisting, two-factor authentication (2FA), and strong passwords.
  • Automated scans: periodically scan for known vulnerabilities and malware signatures.
  • Web Application Firewall (WAF) and virtual patching: virtual patches block exploit attempts at the HTTP layer, reducing risk while vendor fixes are pending.
  • Network segmentation and backups: daily, encrypted backups with retention policy. Test restoration regularly.
  • Security posture reviews: periodic vulnerability assessments and third-party code reviews for custom plugins.

8. Virtual patching and WAF — Why it matters now

When a vendor fix is not yet available, virtual patching (blocking attack patterns at the web layer) is the most effective way to protect live sites quickly. A properly configured WAF can:

  • Intercept and block malicious requests targeting the vulnerable plugin endpoints.
  • Block known SQLi signatures, suspicious query strings, and typical attack behaviors.
  • Rate-limit or block scanners and automated exploitation attempts.
  • Provide additional request logging for forensic analysis.

Key advantages:

  • Immediate protection without changing application code.
  • Minimal risk to site availability (when rules are tuned correctly).
  • Centralized protection across multiple sites you manage.

At WP-Firewall we maintain mitigation rule sets that target newly disclosed plugin vulnerabilities (including SQLi patterns), and we can deploy virtual patches while official patches are pending. If you manage multiple sites, a centralized WAF reduces your response time from days to minutes.

9. How to tune detection rules (what to block / monitor)

When adding WAF rules or server-level filters, tune to avoid false positives while maximizing safety:

  • Block requests that contain SQL keywords in query parameters or POST bodies where they are not expected.
  • Rate-limit requests to plugin endpoints that normally see low volume.
  • Block requests containing encoded payloads (e.g., repeated %27, %2F, /* sequences) when unusual.
  • Monitor for high volumes of requests that include UNION, SELECT, INFORMATION_SCHEMA, SLEEP, or BENCHMARK.
  • Use parameter whitelisting when possible — only allow expected parameter names and values for plugin endpoints.

Testing: After rules are applied, test site functionality (especially parts of the site that interact with the plugin or custom endpoints) to ensure legitimate traffic is not blocked.

10. Detection and audit example workflow (practical steps)

  1. Search access logs for suspicious requests: 
    zgrep -E 'UNION|INFORMATION_SCHEMA|SLEEP|BENCHMARK|UNION SELECT|OR 1=1' /var/log/apache2/access.log*
  2. Export recent user additions: 
    wp db query "SELECT ID,user_login,user_email,user_registered FROM wp_users ORDER BY user_registered DESC LIMIT 50;" --allow-root
  3. Scan for modified files: 
    find /var/www/html -type f -mtime -30 -print | sort
  4. Look for unknown PHP files in uploads: 
    find /var/www/html/wp-content/uploads -iname '*.php' -printf '%p
'
  5. Run a malware scan with an up-to-date signature set (your security tool or scanner).
  6. If compromise indicators are found, snapshot and isolate before further changes.

11. If you suspect your site was breached

  • Immediately isolate the environment (maintenance mode, firewall rules).
  • Preserve and export logs and a backup copy.
  • Engage a trusted incident response partner if the site holds sensitive data or if you cannot complete a safe remediation in-house.
  • Rebuild from clean components wherever feasible.
  • Notify affected users if sensitive personal data was exposed — follow local laws and organizational policy.

12. Why plugin security hygiene matters

Third-party plugins are widely used to extend WordPress, but each plugin adds attack surface. A single vulnerable plugin can put an entire site — and potentially other sites on the same server — at risk. Your security posture depends as much on good plugin hygiene as on patching and monitoring.

Best practice:

  • Use only actively maintained plugins with a clear update history and support channels.
  • Remove unused plugins completely (deactivating is not enough — files remain present).
  • For critical functionality, prefer well-tested alternatives and consider custom development with a security review.

13. Frequently asked questions (FAQ)

Q: Should I delete the plugin right now?
A: If you cannot quickly test a safe upgrade and the plugin is active and vulnerable, deactivate it immediately. If it’s non-essential, remove it entirely.
Q: My plugin is installed but not active — am I still at risk?
A: In many cases, inactive plugin files can still be targeted if they expose public endpoints or contain code executed elsewhere. The safest approach is to remove unused plugins.
Q: Will rotating the DB password stop a running attack?
A: Rotating the DB password helps prevent future unauthorized DB access, but it does not retroactively remove backdoors or fraudulent users that an attacker may have created. You must investigate and clean the site.
Q: Is virtual patching safe for all sites?
A: When properly applied and tested, virtual patching is a safe and fast mitigation. However, rules must be carefully tuned to avoid disrupting legitimate functionality.

14. How WP-Firewall helps (what we provide)

As a WordPress firewall and security provider, our approach focuses on rapid protection and ongoing hardening:

  • Managed Web Application Firewall (WAF) with real-time mitigation rules targeting newly disclosed vulnerabilities.
  • Malware scanning and behavioral detection.
  • Virtual patching capability: rapid rule deployment to block exploit attempts while the vendor patch is pending.
  • Ongoing threat intelligence and weekly security reports (Pro plan).
  • Incident response guidance and support.

We combine automated protections with human triage — protecting your sites quickly while minimizing false positives and operational impact.

Get immediate baseline protection with WP-Firewall Basic (Free)

We strongly recommend all WordPress site owners take at least baseline protective measures right now. Our Basic (Free) plan includes essential protections that are designed to reduce exposure from vulnerabilities like this SQL injection while you perform remediation:

  • Essential protection: managed firewall, unlimited bandwidth, WAF, malware scanner.
  • Mitigation of OWASP Top 10 risks via pre-configured rulesets.
  • Quick deployment and easy onboarding for site owners who need immediate risk reduction.

Sign up and protect your site in minutes: https://my.wp-firewall.com/buy/wp-firewall-free-plan/

If you manage multiple sites or need automated remediation and monthly security reports, consider upgrading to our Standard or Pro plans which add automatic malware removal, IP controls, auto virtual patching, and premium support options.

15. Summary and recommended next steps (concise)

If you run a WordPress site with the “Likes and Dislikes” plugin <= 1.0.0:

  1. Immediately check if the plugin is installed and active.
  2. If active, deactivate or remove the plugin. If you cannot, apply WAF rules to block suspicious requests and put the site into maintenance mode.
  3. Take a full backup/snapshot now.
  4. Scan logs and database for indicators of compromise and rotate credentials.
  5. If you detect compromise, isolate, preserve evidence, and consider a full rebuild from clean sources.
  6. Deploy ongoing protections: WAF, automated scans, least-privilege credentials, and regular backups.

If you need assistance, our WP-Firewall team is ready to help you assess risk, deploy virtual mitigations, and walk through recovery steps. Fast mitigation reduces the window attackers have to weaponize a vulnerability and significantly lowers the chance of a large-scale, costly incident.

16. Final notes from the WP-Firewall team

Vulnerabilities like this are a stark reminder that plugin risk management must be part of any WordPress operational routine. Attackers move quickly once a flaw is disclosed; so should your defenses. We recommend a proactive posture: keep software up-to-date, remove unused components, and use layered defenses (WAF + scanning + backups + access controls).

If you’d like hands-on help or need us to apply immediate mitigation rules to your environment, sign up for our Basic (Free) plan for baseline protection and speak to our team about faster remediation and advanced protections.

Stay safe,
— The WP-Firewall Security Team

wordpress security update banner

Receive WP Security Weekly for Free 👋
Signup Now!!

Sign up to receive WordPress Security Update in your inbox, every week.

We don’t spam! Read our privacy policy for more info.

Contact us to schedule a complimentary WordPress Security consultation

Contact Us

WP-Firewall
6/F, The Rays, 71 Hung To Road, Kwun Tong, Kowloon, Hong Kong

Features Pricing Blog Login
Privacy Policy Terms of Service Docs Affiliate

© 2026 WP-Firewall™