Improper Access Control in WP Dashboard Notes Plugin by WordPress
CVE-2023-7239

7.5HIGH

Key Information:

Vendor: WordPress
Status: WP Dashboard Notes
Vendor: CVE Published:; 15 May 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-7239?

The WP Dashboard Notes plugin for WordPress prior to version 1.0.11 contains an improper access control vulnerability. It fails to properly validate the access rights of users for the post_id parameter in its wpdn_update_note AJAX action. This oversight allows users with contributor roles or higher to modify notes created by other users, potentially leading to unauthorized alterations of critical information.

Affected Version(s)

WP Dashboard Notes 0 < 1.0.11

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-7239 - Proof of Concept

References

https://wpscan.com/vulnerability/6e6afe50-27f9-41fa-a94b-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 15, 2025
👾
Exploit known to exist
May 15, 2025
Vulnerability published
May 15, 2025
Vulnerability Reserved
Jan 22, 2024

Credit

Pedro Cuco (Illex)

WPScan