Description
The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funp_ajax_modify_notes function. This makes it possible for unauthenticated attackers to trick a logged-in user into visiting a malicious page, causing unauthorized overwriting of that victim's own note content via a forged cross-site request to wp_update_post() via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to ownership enforcement comparing the note's stored _funp_single_user_id meta against the current session's user ID, the attack is limited to modifying only notes belonging to the tricked victim, and cannot be used to alter notes owned by arbitrary third-party users.
Published: 2026-06-05
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Frontend User Notes plugin for WordPress is vulnerable to a Cross‑Site Request Forgery (CWE‑352) that allows an unauthenticated attacker to overwrite a logged‑in user's note. The flaw arises from missing or incorrect nonce validation in the AJAX function funp_ajax_modify_notes, permitting a forged POST request to wp_update_post to replace note content. Because the plugin checks a stored meta field against the current user ID, the attack can modify only the victim's own notes, not those of other users.

Affected Systems

All WordPress sites running Frontend User Notes up to version 2.1.1. The plugin must be active and users must be able to create or edit notes for the vulnerability to be exploitable.

Risk and Exploitability

The CVSS score of 4.3 indicates a low‑to‑moderate risk. EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited widespread exploitation. Attackers need only persuade a logged‑in user to visit a malicious page; the CSRF can then trigger the note overwrite via a forged AJAX request. The vulnerability is limited by ownership checks, so the impact is confined to the victim’s own notes, but still constitutes unauthorized data modification.

Generated by OpenCVE AI on June 6, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of Frontend User Notes that includes the nonce validation fix for the CSRF weakness (CWE‑352).
  • If an immediate update is not possible, disable the funp_ajax_modify_notes endpoint or remove the AJAX handler that allows note modification, effectively blocking the vulnerable path.
  • Enable site‑wide CSRF protection by ensuring that all AJAX requests include a valid nonce and that the server validates it before processing changes, following WordPress CSRF best practices.

Generated by OpenCVE AI on June 6, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Absikandar
Absikandar frontend User Notes
Wordpress
Wordpress wordpress
Vendors & Products Absikandar
Absikandar frontend User Notes
Wordpress
Wordpress wordpress

Sat, 06 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funp_ajax_modify_notes function. This makes it possible for unauthenticated attackers to trick a logged-in user into visiting a malicious page, causing unauthorized overwriting of that victim's own note content via a forged cross-site request to wp_update_post() via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to ownership enforcement comparing the note's stored _funp_single_user_id meta against the current session's user ID, the attack is limited to modifying only notes belonging to the tricked victim, and cannot be used to alter notes owned by arbitrary third-party users.
Title Frontend User Notes <= 2.1.1 - Cross-Site Request Forgery to Note Content Modification via 'confirmEdit' Action
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Absikandar Frontend User Notes
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-05T23:28:25.877Z

Reserved: 2026-04-25T17:27:39.790Z

Link: CVE-2026-7047

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T00:16:41.623

Modified: 2026-06-06T00:16:41.623

Link: CVE-2026-7047

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T02:30:09Z

Weaknesses