Sticky Notes for WP Dashboard <= 1.2.4 - Missing Authorization
Description
The Sticky Notes for WP Dashboard plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.2.4What Changed in the Fix
Changes introduced in v1.2.5
Source Code
WordPress.org SVN# Research Plan: CVE-2025-62087 - Missing Authorization in Sticky Notes for WP Dashboard ## 1. Vulnerability Summary The **Sticky Notes for WP Dashboard** plugin (<= 1.2.4) is vulnerable to unauthorized data modification due to missing capability checks in its AJAX handlers. While the plugin provid…
Show full research plan
Research Plan: CVE-2025-62087 - Missing Authorization in Sticky Notes for WP Dashboard
1. Vulnerability Summary
The Sticky Notes for WP Dashboard plugin (<= 1.2.4) is vulnerable to unauthorized data modification due to missing capability checks in its AJAX handlers. While the plugin provides a settings page to restrict note usage to specific roles (excluding Subscribers/Customers by default), the backend AJAX functions responsible for creating, updating, and deleting notes do not enforce these restrictions. This allows any authenticated user (Subscriber level and above) to manipulate dashboard sticky notes.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Primary Vulnerable Action:
wb_stn_save_note(Inferred fromadmin/class-wb-sticky-notes-admin.phpand associated JS assets) - Secondary Vulnerable Action:
wb_stn_submit_feedback(Verified inadmin/classes/class-wb-sticky-notes-feedback.php) - Payload Parameters:
action:wb_stn_save_notenonce: The value of thewb-sticky-notesnonce.content: The text content of the note.note_id: (Optional) The ID of the note to update.
- Authentication: Authenticated, Subscriber-level access.
3. Code Flow
- Registration: The plugin registers AJAX actions in the
Wb_Sticky_Notes_Adminclass (likely in the truncated constructor or aninithook). - Nonce Generation: In
admin/class-wb-sticky-notes-admin.php, theenqueue_scriptsfunction generates a nonce:'nonces' => array( 'main' => wp_create_nonce($this->plugin_name), // $this->plugin_name is 'wb-sticky-notes' ) - Localization: This nonce is passed to the browser via
wp_localize_scriptunder the objectwb_stn_data. - Execution: When a user interacts with a note,
admin/js/wb-sticky-notes-admin.jssends a POST request toadmin-ajax.phpusing the stored nonce. - Vulnerability: The PHP callback for
wb_stn_save_notelikely callscheck_ajax_referer(validating the nonce) but fails to callcurrent_user_can('edit_posts')or verify the user's role against the plugin'srole_namesetting.
4. Nonce Acquisition Strategy
The nonce is required for most actions. Since it is localized for the dashboard, a Subscriber can retrieve it if the plugin enqueues its scripts on the dashboard for all authenticated users.
- Setup: Log in as a Subscriber.
- Navigate: Go to the WordPress Dashboard (
/wp-admin/index.php). - Extract: Use the
browser_evaltool to extract the nonce from the global JavaScript object.- Key:
window.wb_stn_data?.nonces?.main - Action String:
wb-sticky-notes
- Key:
5. Exploitation Strategy
Goal: Create an unauthorized sticky note as a Subscriber.
- Log in as a Subscriber user.
- Extract the Nonce using the strategy in Section 4.
- Send the Exploit Request using
http_request:- URL:
http://vulnerable-hostname.tld/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=wb_stn_save_note&nonce=[EXTRACTED_NONCE]&content=<h1>Vulnerable</h1><p>Created by Subscriber</p>&x=100&y=100&width=300&height=200&theme=0&font_family=0&font_size=16
- URL:
6. Test Data Setup
- Plugin: Install
wb-sticky-notesversion 1.2.4. - User: Create a user with the
Subscriberrole. - Configuration: Ensure the plugin is enabled in "Tools > Sticky Notes" (Default is usually enabled for Admins).
7. Expected Results
- The server should return a successful response (HTTP 200) with a JSON body or a Note ID (e.g.,
{"success":true,"data":...}). - An administrator logging into the dashboard should see the "Vulnerable" sticky note created by the Subscriber.
8. Verification Steps
- Database Check: Verify the note exists in the database.
# Assuming the table name follows the standard pattern wp db query "SELECT * FROM wp_wb_stn_notes WHERE content LIKE '%Vulnerable%'" - Dashboard UI: Use
browser_navigateto view the dashboard as an Administrator and confirm the note's presence.
9. Alternative Approaches
If wb_stn_save_note enforces a strict check, target the feedback mechanism which appears to lack even a nonce check in the provided source:
- Action:
wb_stn_submit_feedback - Request:
POST /wp-admin/admin-ajax.php Content-Type: application/x-www-form-urlencoded Body: action=wb_stn_submit_feedback&reason=other&reason_brief=Unauthorized+Feedback+Injection - File Reference:
admin/classes/class-wb-sticky-notes-feedback.php, line 24.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.