Threat Entry Updated 2026-06-06

CVE-2026-7047 - Frontend User Notes Plugin

The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funp_ajax_modify_notes function. This makes it possible for unauthenticated attackers to trick a logged-in user into visiting a malicious page, causing unauthorized overwriting of that victim's own note content via a forged cross-site request to wp_update_post() via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to…

PLUGIN Frontend User Notes

CVE-2026-7047

MEDIUM CVSS 4.3 2026-06-06

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-18

CVE-2025-12071 - Frontend User Notes Plugin

The Frontend User Notes plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'funp_ajax_modify_notes' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary notes that do not belong to them.

PLUGIN Frontend User Notes

CVE-2025-12071

MEDIUM CVSS 4.3 2026-02-18

Risk Score

Open Full Technical Breakdown