WPDashboardNotes < 1.0.11 – Unauthorised Deletion of Private Notes | CVE 2023-7198 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Insecure Direct Object References (IDOR) in post_id= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises the integrity and privacy of user data.

Proof of Concept

After attacker create a note, uses the delete option. Intercepts the request and manipulate the post_id= to the victim note.

action=wpdn_delete_note&post_id=<ID-TO-DELETE>&nonce=1aa16d2949

Affects Plugins

wp-dashboard-notes

Fixed in 1.0.11

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

Miscellaneous

Original Researcher

Pedro Cuco (Illex)

Submitter

Pedro Cuco (Illex)

Verified

Yes

WPVDB ID

75fbee63-d622-441f-8675-082907b0b1e6

Timeline

Publicly Published

2023-12-19 (about 4 months ago)

Added

2024-02-02 (about 3 months ago)

Last Updated

2024-02-02 (about 3 months ago)

Other

Published

Title

Published

2023-02-14

Title

Ocean Extra < 2.1.3 - Subscriber+ Arbitrary Post Content Disclosure

Published

2023-11-27

Title

WP Shortcodes Plugin — Shortcodes Ultimate < 7.0.0 - Insecure Direct Object Reference to Information Disclosure

Published

2022-09-19

Title

Booster for WooCommerce - Subscriber+ Order Status Update

Published

2024-05-07

Title

SP Project & Document Manager <= 4.70 - Authenticated (Subscriber+) Arbitrary Folder Name Update

Published

2021-03-17

Title

BuddyPress < 7.2.1 - Read Private Messages