Frontend User Notes Security & Risk Analysis

wordpress.org/plugins/frontend-user-notes

Allow site members to add and save personal notes from frontend. Suited for membership and e-learning sites. Fast, secure and fully ajax loading.

60 active installs v2.1.1 PHP 5.6+ WP 4.5+ Updated Nov 14, 2025
e-learningmembershipnotepadnotesuser
98
A · Safe
CVEs total2
Unpatched0
Last CVEJun 5, 2026
Safety Verdict

Is Frontend User Notes Safe to Use in 2026?

Generally Safe

Score 98/100

Frontend User Notes has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Jun 5, 2026Updated 7mo ago
Risk Assessment

The "frontend-user-notes" plugin version 2.1.1 exhibits a generally strong security posture based on static analysis, with no identified dangerous functions, SQL injection vulnerabilities, file operations, or external HTTP requests. The plugin demonstrates good practices by utilizing prepared statements for all SQL queries and implementing nonce and capability checks on its entry points. A high percentage of output escaping (86%) is also a positive sign. However, the presence of 3 AJAX handlers, while all reportedly checked for authentication, still represents an attack surface that requires careful ongoing scrutiny. The plugin's history includes one known CVE, which was an Authorization Bypass Through User-Controlled Key vulnerability. While this CVE is currently unpatched, its severity was only medium. The fact that the last vulnerability occurred in the future (2026-02-17) is an anomaly and should be investigated as a data integrity issue rather than a current security threat.

Key Concerns

  • One known CVE recorded
  • Medium severity CVE
  • 86% output escaping
  • 3 AJAX handlers present
Vulnerabilities
2 published

Frontend User Notes Security Vulnerabilities

CVEs by Year

2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-7047medium · 4.3Cross-Site Request Forgery (CSRF)

Frontend User Notes <= 2.1.1 - Cross-Site Request Forgery to Note Content Modification via 'confirmEdit' Action

Jun 5, 2026 Patched in 2.2.0 (1d)
CVE-2025-12071medium · 4.3Authorization Bypass Through User-Controlled Key

Frontend User Notes <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification

Feb 17, 2026 Patched in 2.1.1 (1d)
Code Analysis
Analyzed Mar 16, 2026

Frontend User Notes Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
23
137 escaped
Nonce Checks
4
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

DataTables

Output Escaping

86% escaped160 total outputs
Attack Surface

Frontend User Notes Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 3

authwp_ajax_funp_ajax_load_notesincludes\ajax.php:7
authwp_ajax_funp_ajax_create_noteincludes\ajax.php:41
authwp_ajax_funp_ajax_modify_notesincludes\ajax.php:101

Shortcodes 1

[fun-my-notes] includes\main.php:120
WordPress Hooks 13
actionadmin_initadmin\admin_functions.php:12
actionadmin_menuadmin\admin_functions.php:13
actioninitadmin\admin_functions.php:14
actionadd_meta_boxesadmin\admin_functions.php:15
actionsave_postadmin\admin_functions.php:16
filtermanage_frontend-user-notes_posts_columnsadmin\admin_functions.php:17
actionmanage_frontend-user-notes_posts_custom_columnadmin\admin_functions.php:18
filterplugin_action_linksadmin\admin_functions.php:19
actionadmin_enqueue_scriptsadmin\class\class_settings.php:11
actionwp_enqueue_scriptsincludes\main.php:11
actionwp_footerincludes\main.php:103
actiontemplate_redirectincludes\main.php:347
actioninitincludes\main.php:358
Maintenance & Trust

Frontend User Notes Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 14, 2025
PHP min version5.6
Downloads2K

Community Trust

Rating100/100
Number of ratings3
Active installs60
Developer Profile

Frontend User Notes Developer Profile

Abu Bakar

4 plugins · 710 total installs

81
trust score
Avg Security Score
90/100
Avg Patch Time
89 days
View full developer profile
Detection Fingerprints

How We Detect Frontend User Notes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/frontend-user-notes/admin/css/funp_admin_styles.css/wp-content/plugins/frontend-user-notes/admin/js/funp_admin_scripts.js/wp-content/plugins/frontend-user-notes/includes/css/style.css/wp-content/plugins/frontend-user-notes/includes/css/datatables.min.css/wp-content/plugins/frontend-user-notes/includes/js/jquery.dataTables.min.js/wp-content/plugins/frontend-user-notes/includes/js/main.js/wp-content/plugins/frontend-user-notes/includes/js/notes.js
Script Paths
/wp-content/plugins/frontend-user-notes/admin/js/funp_admin_scripts.js/wp-content/plugins/frontend-user-notes/includes/js/jquery.dataTables.min.js/wp-content/plugins/frontend-user-notes/includes/js/main.js/wp-content/plugins/frontend-user-notes/includes/js/notes.js
Version Parameters
frontend-user-notes/admin/css/funp_admin_styles.css?ver=frontend-user-notes/admin/js/funp_admin_scripts.js?ver=frontend-user-notes/includes/css/style.css?ver=frontend-user-notes/includes/css/datatables.min.css?ver=frontend-user-notes/includes/js/jquery.dataTables.min.js?ver=frontend-user-notes/includes/js/main.js?ver=frontend-user-notes/includes/js/notes.js?ver=

HTML / DOM Fingerprints

CSS Classes
funp-notes-wrapperfunp-add-note-formfunp-note-list
HTML Comments
<!-- Frontend User Notes Plugin --><!-- Start Frontend User Notes --><!-- End Frontend User Notes -->
Data Attributes
data-funp-noncedata-funp-actiondata-funp-post-id
JS Globals
funp_ajax_objectfrontend_notes_obj
REST Endpoints
/wp-json/funp/v1/notes
Shortcode Output
[frontend_user_notes]
FAQ

Frequently Asked Questions about Frontend User Notes