Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Frontend User Notes plugin allows attackers to modify notes
CVE-2025-12071
Summary
The Frontend User Notes plugin for WordPress is at risk. An attacker with a Subscriber-level account or above can modify notes that belong to other users. To fix this, update the plugin to version 2.1.1 or later.
Original title
The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funp_ajax_modify_notes' AJAX endpoint due to miss...
Original description
The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funp_ajax_modify_notes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary notes that do not belong to them.
nvd CVSS3.1
4.3
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026