The vulnerability is a missing authorization flaw identified as CWE-862 that allows users to access or modify the Sticky Notes for WP Dashboard plugin beyond their intended permissions. Without proper access controls, an attacker could view or change note content, potentially exposing sensitive information or disrupting the user interface. The impact is confined to the data handled by the plugin and does not immediately provide remote code execution or cross‑site scripting capabilities. Based on the description, it is inferred that the flaw exists in the plugin's handling of security levels and is exploitable via the web interface that authenticates WordPress users.

WordPress installations running the Sticky Notes for WP Dashboard plugin version 1.2.4 or earlier. The vendor is Web Builder 143 and the affected product is Sticky Notes for WP Dashboard. All users of these installations are subject to the flaw, regardless of WordPress user role.

The CVSS score of 4.3 classifies the bug as moderate. The EPSS score of less than 1% indicates a very low probability of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw enables privilege escalation for authenticated users in WordPress, an attacker could gain unauthorized access to note data or alter content if they can log in or impersonate a user. The most likely attack vector is the plugin’s administrative interface, requiring access to a WordPress account with any level of privileges but no additional system privileges.