Does Admin Notes have any unpatched vulnerabilities?

Yes — Admin Notes currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Admin Notes compatible with WordPress 3.4.2?

According to WordPress.org data, Admin Notes 1.1 has been tested up to WordPress 3.4.2. Check the plugin's changelog for the latest compatibility information.

How often is Admin Notes updated?

Admin Notes was last updated on Jan 23, 2014. Frequent updates are generally a positive security signal.

What is Admin Notes's security score?

Admin Notes has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Admin Notes Security & Risk Analysis

wordpress.org/plugins/admin-note

Create notes for admin, one can assign to certain members easily.

10 active installs v1.1 PHP + WP 3.0.1+ Updated Jan 23, 2014

admin-noteadmin-note-add-useradmin-note-useradmin-notes

C · Use Caution

CVEs total1

Unpatched1

Last CVEJun 5, 2025

Plugin page Download

Safety Verdict

Is Admin Notes Safe to Use in 2026?

Use With Caution

Score 63/100

Admin Notes has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jun 5, 2025Updated 12yr ago

Risk Assessment

The 'admin-note' plugin v1.1 exhibits a mixed security posture. While the static analysis indicates a minimal attack surface with no exposed AJAX handlers, REST API routes, shortcodes, or cron events without proper checks, significant concerns arise from the code's internal practices. The complete lack of prepared statements for all SQL queries, coupled with a 0% rate of proper output escaping, presents a substantial risk. The taint analysis revealing one flow with an unsanitized path and high severity further exacerbates these issues, suggesting potential for injection vulnerabilities.

The plugin's vulnerability history, despite only one known medium CVE, is concerning due to its recentness and the fact that it remains unpatched. This indicates a pattern of security oversights and a lack of prompt remediation. While the plugin does implement one capability check, the overall lack of nonces on any entry points (though none are explicitly listed as unprotected) and the widespread use of raw SQL are critical weaknesses that overshadow the minimal attack surface. Users should exercise extreme caution, as the internal code quality and unaddressed past vulnerabilities suggest a high likelihood of future security issues.

Key Concerns

All SQL queries use raw statements
No output escaping
High severity unsanitized taint flow
One unpatched medium CVE
No nonce checks

Vulnerabilities

1 published

Admin Notes Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-49446medium · 4.3Cross-Site Request Forgery (CSRF)

Admin Notes <= 1.1 - Cross-Site Request Forgery

Jun 5, 2025Unpatched

Version History

Admin Notes Release Timeline

No version history available.

Code Analysis

Analyzed Mar 16, 2026

Admin Notes Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared8 total queries

Output Escaping

0% escaped20 total outputs

Data Flows · Security

1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths

admin_note_menu_callback (adminnote.php:61)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Admin Notes Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 2

actionadmin_headadminnote.php:52

actionadmin_menuadminnote.php:376

Maintenance & Trust

Admin Notes Maintenance & Trust

Maintenance Signals

WordPress version tested3.4.2

Last updatedJan 23, 2014

PHP min version

Downloads3K

Community Trust

Rating86/100

Number of ratings4

Active installs10

Alternatives

Admin Notes Alternatives

Sticky Notes for WP Dashboard

wb-sticky-notes

Create sticky notes in your WP admin for reminders and to-dos. Restrict notes by user roles and disable them on specific pages.

1K 1 CVE

User Notes

user-notes

Keep private notes about each of your users that only Administrators can see.

900 2 CVEs

Simple Admin Notes

simple-admin-notes

Adds a simple "Notes" section to the admin menu or posts

200 No CVEs

Product Admin Notes Simple

products-admin-notes-simple

Simple plugin to add an admin notes field to products, nothing complicated just gets the job done!

100 No CVEs

A Note Above – WP Dashboard Notes

a-note-above-wp-dashboard-notes

A WordPress Note taking system to live on your WP Admin dashboard.

50 No CVEs

Developer Profile

Admin Notes Developer Profile

minhlaobao

1 plugin · 10 total installs

trust score

Avg Security Score

63/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Admin Notes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/adminnote/note.css/wp-content/plugins/adminnote/jquery.validate.min.js

Script Paths

/wp-content/plugins/adminnote/jquery.validate.min.js

Version Parameters

adminnote/note.css?ver=adminnote/jquery.validate.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

paginationnotenote_loading

Data Attributes

data-note_id

JS Globals

jQuery

FAQ