WP ULike < 4.7.2.1 – Subscriber+ Stored-XSS | CVE 2024-6792

Description

The plugin does not properly sanitize user display names when rendering on a public page.

Proof of Concept

1. Enable the visibility of likers on content. The easiest way is to create a new post or page and use the `wp_ulike_likers_box` shortcode:

    * Enable the toggle `Display Likers Box` from the settings page `/wp-admin/admin.php?page=wp-ulike-settings#tab=configuration/content-types`
    * Create a new post or page with a likers box using the `wp_ulike_likers_box` shortcode. e.g: `[wp_ulike_likers_box]`

2. Create a new subscriber level user with a first name of the following. Ensuring that the display name is set to contain this payload:
```
sub"id="x"tabindex="1"autofocus="1"onfocus="alert(`subf`)"x=
```

3. As this user, like the content created in step 2.

4. Observe XSS JavaScript execution when any user visits the page. You may need to hard refresh to avoid caching.