CVE-2025-12071 - Vulnerability Details

- Frontend User Notes <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification

Description

The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funp_ajax_modify_notes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary notes that do not belong to them.

Published: 2026-02-18

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This issue is an insecure direct object reference in the ‘funp_ajax_modify_notes’ AJAX endpoint of the Frontend User Notes WordPress plugin. An attacker who is logged in with Subscriber‑level or higher access can modify any note that does not belong to them because the plugin does not validate that the note belongs to the authenticated user. The weakness is a classic IDOR (CWE‑639) that compromises the integrity of user‑generated content and can expose private information hidden in those notes.

Affected Systems

The vulnerability affects the Frontend User Notes plugin developed by absikandar. All released versions up to and including 2.1.0 are impacted; newer releases such as 2.1.1 are presumed to contain the fix.

Risk and Exploitability

The CVSS score of 4.3 indicates the vulnerability is of moderate severity. The EPSS score of less than 1 % suggests that exploitation is unlikely to be widespread, and the issue is not listed in the CISA KEV catalog. Exploitation requires a valid authenticated WordPress session with a role of Subscriber or higher and access to the vulnerable AJAX endpoint, making it a local or web‑based attack rather than remotely exploitable from outside the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

absikandar

Frontend User Notes

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.1.0

No data.

Vendor Product Confidence Versions

Absikandar

Frontend User Notes

100%

Version	Status	Scheme	Platform
`[0,2.1.0]`	affected	semver	—

Wordpress

70%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Frontend User Notes plugin to version 2.1.1 or later, which patches the missing ownership validation.
Restrict the ‘funp_ajax_modify_notes’ AJAX endpoint so that only users with appropriate permissions can reach it, or disable the endpoint for lower‑privilege roles.
Audit the note permission logic within the plugin to enforce that notes can only be edited by their owners unless explicitly granted otherwise.

Generated by OpenCVE AI on April 22, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/frontend-user-notes/tags/2.1.1/includes/ajax.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/30f2dd33-228d-4942-88d9-78c7ed0b79a1?source=cve

History

Wed, 18 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Absikandar Absikandar frontend User Notes Wordpress Wordpress wordpress
Vendors & Products		Absikandar Absikandar frontend User Notes Wordpress Wordpress wordpress

Wed, 18 Feb 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funp_ajax_modify_notes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary notes that do not belong to them.
Title		Frontend User Notes <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification
Weaknesses		CWE-639
References		https://plugins.trac.wordpress.org/browser/frontend-user-notes/tags/2.1.1/includes/ajax.php https://www.wordfence.com/threat-intel/vulnerabilities/id/30f2dd33-228d-4942-88d9-78c7ed0b79a1?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Absikandar Frontend User Notes

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-18T04:35:42.817Z

Updated: 2026-04-08T16:44:58.364Z

Reserved: 2025-10-22T14:02:38.741Z

Link: CVE-2025-12071

Vulnrichment

Updated: 2026-02-18T14:44:23.510Z

NVD

Status : Deferred

Published: 2026-02-18T05:16:16.683

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12071

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T20:00:08Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object