WPDashboardNotes < 1.0.11 – Unauthorised Deletion of Private Notes | CVE 2023-7198 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Insecure Direct Object References (IDOR) in post_id= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises the integrity and privacy of user data.

Proof of Concept

After attacker create a note, uses the delete option. Intercepts the request and manipulate the post_id= to the victim note.

action=wpdn_delete_note&post_id=<ID-TO-DELETE>&nonce=1aa16d2949

Affects Plugins

wp-dashboard-notes

Fixed in 1.0.11

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Pedro Cuco (Illex)

Submitter

Pedro Cuco (Illex)

Verified

Yes

WPVDB ID

75fbee63-d622-441f-8675-082907b0b1e6

Timeline

Publicly Published

2023-12-19 (about 2 years ago)

Added

2024-02-02 (about 1 year ago)

Last Updated

2024-02-02 (about 1 year ago)

Other

Published

Title

Published

2025-04-16

Title

Forminator < 1.42.1 - Order Replay Vulnerability

Published

2025-06-26

Title

Mollie Payments for WooCommerce < 8.0.3 - Unauthenticated Insecure Direct Object Reference

Published

2025-04-17

Title

Avatar <= 0.1.4 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2025-02-03

Title

JS Help Desk – The Ultimate Help Desk & Support Plugin < 2.8.9 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2025-05-13

Title

Latepoint < 5.1.93 - Unauthenticated Insecure Direct Object Reference