– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-12071:
The Frontend User Notes WordPress plugin version 2.1.0 and earlier contains an Insecure Direct Object Reference vulnerability in its AJAX note modification handler. This flaw allows authenticated users with Subscriber-level permissions or higher to modify notes belonging to other users. The CVSS 4.3 score reflects a medium-severity authorization bypass.

Root Cause:
The vulnerability originates in the `funp_ajax_modify_notes` function within `/frontend-user-notes/includes/ajax.php`. The function accepts a user-controlled `noteEditId` parameter via POST without verifying the requesting user owns the target note. Lines 95-97 show the vulnerable code reading `$_POST[“noteEditId”]` directly into `$cur_id`. The function then converts this to `$post_id` via `absint()` but performs no ownership check before executing modification or deletion operations.

Exploitation:
An attacker with Subscriber authentication sends a POST request to `/wp-admin/admin-ajax.php` with the action parameter set to `funp_ajax_modify_notes`. The request includes a malicious `noteEditId` parameter containing the numeric ID of another user’s note. The attacker also supplies a `noteAction` parameter set to `edit` or `remove` and a `noteContent` parameter for edits. The plugin processes this request because it validates the user is logged in but does not validate note ownership.

Patch Analysis:
The patch in version 2.1.1 adds an ownership verification check. After retrieving the post object for the given `$post_id`, the patched code calls `get_post_meta($post_id, ‘_funp_single_user_id’, true)` to fetch the note’s author ID. It compares this value against the current user’s ID obtained via `funp_cur_user_id()`. If the IDs do not match, the function returns an authorization error. The patch also changes the `funp_cur_user_id()` helper function to return `absint()` instead of `esc_attr()` for type consistency.

Impact:
Successful exploitation allows authenticated low-privilege users to modify or delete any note stored by the plugin. This constitutes a data integrity violation and unauthorized data modification. Attackers could delete other users’ task lists, modify personal notes in e-learning contexts, or disrupt workflow management systems built on the plugin.