CVE-2023-7239

The WP Dashboard Notes WordPress plugin before 1.0.11 does not validate that the user has access to the post_id parameter in its wpdn_update_note AJAX action. This allows users with a role of contributor and above to update notes created by other users.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/6e6afe50-27f9-41fa-a94b-f44df0850e2c/

Configurations

No configuration.

History

16 May 2025, 17:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

16 May 2025, 14:43

Type	Values Removed	Values Added
Summary		(es) El complemento WP Dashboard Notes para WordPress, anterior a la versión 1.0.11, no valida que el usuario tenga acceso al parámetro post_id en su acción AJAX wpdn_update_note. Esto permite a los usuarios con rol de colaborador o superior actualizar notas creadas por otros usuarios.

15 May 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-15 20:15

Updated : 2025-05-16 17:15

NVD link : CVE-2023-7239

Mitre link : CVE-2023-7239

CVE.ORG link : CVE-2023-7239

JSON object : View

Products Affected

No product.

CWE

No CWE.

7.5 /10