The Dashboard Notepad plugin contains a Cross-Site Request Forgery flaw that allows an attacker to force an authenticated WordPress user to perform actions within the plugin. By convincing or tricking a logged‑in user to visit a crafted URL, the attacker can inject requests that the site will execute on the victim’s behalf, potentially modifying or deleting notes and altering plugin settings. The weakness is a classic CSRF vulnerability, classified as CWE‑352, which primarily jeopardizes the integrity of user data and the configuration of the plugin.

Affected is the Stephanie Leary Dashboard Notepad WordPress plugin, versions from the initial release through 1.42. Any WordPress installation utilizing these versions of the plugin is vulnerable.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% reflects a low but non‑zero likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation requires a victim to be logged into the site and to accidentally trigger a crafted request, making the attack medium difficulty but still feasible with a phishing or abandoned link.