WordPress Plugin Vulnerabilities

Plugin Notes Plus < 1.2.8 - Authenticated (Subscriber+) Arbitrary Note Deletion

Description

The Plugin Notes Plus plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pnp_delete_response() function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary notes.

Affects Plugins

Plugin icon
plugin-notes-plus
Fixed in 1.2.8

References

CVE
CVE-2024-43326
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e505b376-89ca-4df1-85a1-f8c472325547

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
f79c5fb5-6570-4803-9854-75f7abb382ce

Timeline

Publicly Published
2024-08-16 (about 1 year ago)
Added
2024-08-19 (about 1 year ago)
Last Updated
2024-08-19 (about 1 year ago)

Other

Published
Title
Published
2023-11-07
Title
Visitors Traffic Real Time Statistics < 7.3 - Missing Authorization via multiple AJAX actions
Published
2026-01-14
Title
Universal Google Adsense and Ads manager <= 1.1.8 - Missing Authorization
Published
2024-08-26
Title
Droip < 2.5.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Settings Change
Published
2025-02-14
Title
Distance Based Shipping Calculator < 2.0.23 - Missing Authorization
Published
2024-03-06
Title
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) < 2.8.8 - Missing Authorization to Unauthenticated Media Deletion