• Potentially vulnerable to SQLi as it puts the values of options directly into SQL statements without escaping (admin/admin.php lines 243-249)

The plugin contains or is likely to contain a vulnerability which could be exploited by an end user and which would compromise the site’s confidentiality, integrity or availability:

• CSRF allowing admins to be phished into deleting all data the plugin has stored (example: wp_ulike_posts_delete_logs doesn’t require a nonce)
• Stored XSS allowing unauthenticated users to forge their IP addresses, which then get printed without escaping
• Allows any authenticated user to delete virtually anything in the database (unauthenticated users can do the same via CSRF)