wp-dashboard-notes < 1.0.11 – Contributor+ Arbitrary Private Notes Update via IDOR | CVE 2023-7239

Description

The plugin does not validate that the user has access to the post_id parameter in its wpdn_update_note AJAX action. This allows users with a role of contributor and above to update notes created by other users.

Proof of Concept

1. Create a note as an admin. View the source of the page to get the Note ID. This corresponds to the `post_id` parameter.
2. Login as a contributor
3. Add a new note and save
4. Edit the note and intecept the request change the `post_id` parameter to the Note ID from step one
5. When logged in as an admin, see that your original note has been modified by the contributor

```
https://example.com/wp-admin/admin-ajax.php?action=wpdn_update_note&post_id=__ADMIN-PRIVATE-NOTE__&post_content=%0A%09%09%09%09%09%09%09&post_title=Attacker+Note+Changes&note_visibility=private&note_color_text=red&note_color=%23f7846a&note_type=list&nonce=c4d50e759d
```