Plugin Name: WP Dashboard Notes
- Software Type: Plugin
- Software Slug: wp-dashboard-notes
- Software Status: Active
- Software Author: sormano
- Software Downloads: 176,276
- Active Installs: 30,000
- Last Updated: January 30, 2024
- Patched Versions: 1.0.10
- Affected Versions: <= 1.0.10
- Name: WP Dashboard Notes <= 1.0.10
- Title: Missing Authorization to Arbitrary Private Notes Update
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- CVE: CVE-2023-7239
- CVSS Score: 4.3
- Publicly Published: January 26, 2024
- Researcher: Pedro Cuco (Illex)
- Description: The WP Dashboard Notes plugin is vulnerable to unauthorized data modification due to insufficient permission checks on the
wpdn_update_noteAJAX action. This flaw allows authenticated users with contributor-level access or higher to alter private notes that were originally created by other users, potentially leading to misinformation or unauthorized data alterations within the WordPress dashboard.
The WP Dashboard Notes plugin, a tool designed for creating and managing notes within the WordPress admin dashboard, contains a significant security vulnerability in all versions up to and including 1.0.10. This vulnerability enables users with contributor-level access to modify private notes without proper authorization, compromising the integrity of note contents. The issue has been addressed in the patched version 1.0.10.
Discovered by security researcher Pedro Cuco (Illex), this vulnerability poses a risk to WordPress sites by allowing low-level users to manipulate dashboard notes—a feature intended for private communication and task management among site administrators and authorized users. The vulnerability stems from a lack of capability checks for actions modifying existing notes, which could be exploited to disseminate false information or disrupt site management processes.
Advice for Users:
- Immediate Action: Users of the WP Dashboard Notes plugin should verify that they have updated to version 1.0.10, where the vulnerability has been patched. If not already updated, immediate action is recommended to prevent unauthorized note modifications.
- Check for Signs of Vulnerability: Site administrators should review their dashboard notes for any unauthorized changes that may have occurred before the update and assess other areas of the site for potential security breaches.
- Alternate Plugins: While the patched version is considered secure, users may explore alternative note-taking plugins with similar functionality as a precautionary measure against future vulnerabilities.
- Stay Updated: Maintaining the latest versions of all installed plugins, themes, and the WordPress core is crucial in safeguarding against known vulnerabilities and ensuring the security of your WordPress site.
The discovery and subsequent patching of the vulnerability in the WP Dashboard Notes plugin highlight the ongoing challenges and responsibilities of managing a secure WordPress site. By staying vigilant and responsive to updates and security advisories, WordPress administrators can protect their sites from potential threats and maintain a secure environment for their content and users.