A cross‐site request forgery (CSRF) weakness in the minhlaobao Admin Notes plugin version 1.1 and earlier allows an attacker to force an authenticated user to perform actions through the plugin. The CVE notes that the vulnerability permits forged HTTP requests, but does not specify which plugin operations can be invoked. Based on the plugin’s typical functionality, an attacker could likely create, edit, or delete notes, thereby altering content that is normally restricted to administrators. This weakness is identified as CWE‑352, which underlines the absence of a CSRF token or sufficient user‑consent verification.

The issue affects the Admin Notes plugin by minhlaobao, any WordPress installation running version 1.1 or older. No other plugins or vendor products are listed as affected. Administrators who use the plugin to manage notes on a site that has not been patched or updated are exposed.

The CVSS base score is 4.3, indicating a moderate risk level for confidentiality, integrity, and availability. The EPSS score of less than 1 % signals that the compromise of this weakness by a public exploit is considered unlikely, and the vulnerability is not present in the CISA KEV catalog. Typical CSRF exploitation would require that an administrator is authenticated in the victim’s browser and is tricked into visiting a specially crafted URL or loading a malicious form. Though no public exploit is documented in the references, the inference is that the attack vector would be via a GET or POST request that triggers the plugin’s note‑management endpoints.