CVE-2025-62087

Sticky Notes for WP Dashboard <= 1.2.4 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.2.5
Patched in
57d
Time to patch

Description

The Sticky Notes for WP Dashboard plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.4
PublishedDecember 31, 2025
Last updatedFebruary 25, 2026
Affected pluginwb-sticky-notes

What Changed in the Fix

Changes introduced in v1.2.5

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2025-62087 - Missing Authorization in Sticky Notes for WP Dashboard ## 1. Vulnerability Summary The **Sticky Notes for WP Dashboard** plugin (<= 1.2.4) is vulnerable to unauthorized data modification due to missing capability checks in its AJAX handlers. While the plugin provid…

Show full research plan

Research Plan: CVE-2025-62087 - Missing Authorization in Sticky Notes for WP Dashboard

1. Vulnerability Summary

The Sticky Notes for WP Dashboard plugin (<= 1.2.4) is vulnerable to unauthorized data modification due to missing capability checks in its AJAX handlers. While the plugin provides a settings page to restrict note usage to specific roles (excluding Subscribers/Customers by default), the backend AJAX functions responsible for creating, updating, and deleting notes do not enforce these restrictions. This allows any authenticated user (Subscriber level and above) to manipulate dashboard sticky notes.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Primary Vulnerable Action: wb_stn_save_note (Inferred from admin/class-wb-sticky-notes-admin.php and associated JS assets)
  • Secondary Vulnerable Action: wb_stn_submit_feedback (Verified in admin/classes/class-wb-sticky-notes-feedback.php)
  • Payload Parameters:
    • action: wb_stn_save_note
    • nonce: The value of the wb-sticky-notes nonce.
    • content: The text content of the note.
    • note_id: (Optional) The ID of the note to update.
  • Authentication: Authenticated, Subscriber-level access.

3. Code Flow

  1. Registration: The plugin registers AJAX actions in the Wb_Sticky_Notes_Admin class (likely in the truncated constructor or an init hook).
  2. Nonce Generation: In admin/class-wb-sticky-notes-admin.php, the enqueue_scripts function generates a nonce:
    'nonces' => array(
        'main' => wp_create_nonce($this->plugin_name), // $this->plugin_name is 'wb-sticky-notes'
    )
    
  3. Localization: This nonce is passed to the browser via wp_localize_script under the object wb_stn_data.
  4. Execution: When a user interacts with a note, admin/js/wb-sticky-notes-admin.js sends a POST request to admin-ajax.php using the stored nonce.
  5. Vulnerability: The PHP callback for wb_stn_save_note likely calls check_ajax_referer (validating the nonce) but fails to call current_user_can('edit_posts') or verify the user's role against the plugin's role_name setting.

4. Nonce Acquisition Strategy

The nonce is required for most actions. Since it is localized for the dashboard, a Subscriber can retrieve it if the plugin enqueues its scripts on the dashboard for all authenticated users.

  1. Setup: Log in as a Subscriber.
  2. Navigate: Go to the WordPress Dashboard (/wp-admin/index.php).
  3. Extract: Use the browser_eval tool to extract the nonce from the global JavaScript object.
    • Key: window.wb_stn_data?.nonces?.main
    • Action String: wb-sticky-notes

5. Exploitation Strategy

Goal: Create an unauthorized sticky note as a Subscriber.

  1. Log in as a Subscriber user.
  2. Extract the Nonce using the strategy in Section 4.
  3. Send the Exploit Request using http_request:
    • URL: http://vulnerable-hostname.tld/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      action=wb_stn_save_note&nonce=[EXTRACTED_NONCE]&content=<h1>Vulnerable</h1><p>Created by Subscriber</p>&x=100&y=100&width=300&height=200&theme=0&font_family=0&font_size=16
      

6. Test Data Setup

  1. Plugin: Install wb-sticky-notes version 1.2.4.
  2. User: Create a user with the Subscriber role.
  3. Configuration: Ensure the plugin is enabled in "Tools > Sticky Notes" (Default is usually enabled for Admins).

7. Expected Results

  • The server should return a successful response (HTTP 200) with a JSON body or a Note ID (e.g., {"success":true,"data":...}).
  • An administrator logging into the dashboard should see the "Vulnerable" sticky note created by the Subscriber.

8. Verification Steps

  1. Database Check: Verify the note exists in the database.
    # Assuming the table name follows the standard pattern
    wp db query "SELECT * FROM wp_wb_stn_notes WHERE content LIKE '%Vulnerable%'"
    
  2. Dashboard UI: Use browser_navigate to view the dashboard as an Administrator and confirm the note's presence.

9. Alternative Approaches

If wb_stn_save_note enforces a strict check, target the feedback mechanism which appears to lack even a nonce check in the provided source:

  • Action: wb_stn_submit_feedback
  • Request:
    POST /wp-admin/admin-ajax.php
    Content-Type: application/x-www-form-urlencoded
    Body: action=wb_stn_submit_feedback&reason=other&reason_brief=Unauthorized+Feedback+Injection
    
  • File Reference: admin/classes/class-wb-sticky-notes-feedback.php, line 24.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.