CVE-2025-62087
Lifecycle Timeline
2Description
Missing Authorization vulnerability in Web Builder 143 Sticky Notes for WP Dashboard wb-sticky-notes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sticky Notes for WP Dashboard: from n/a through <= 1.2.4.
Analysis
Missing authorization in Sticky Notes for WP Dashboard plugin (versions up to 1.2.4) allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability stems from improper enforcement of authorization checks (CWE-862), potentially enabling unauthorized users to access or manipulate sticky notes functionality. With an EPSS score of 0.04% (11th percentile), this represents a low real-world exploitation probability despite the authorization flaw, suggesting either limited attack surface or constrained practical utility.
Technical Context
The vulnerability involves a missing authorization control in a WordPress plugin that manages sticky notes functionality within the WP Dashboard. Specifically, the plugin fails to properly enforce access control security levels (CWE-862: Missing Authorization), which is the root cause classification. WordPress plugins commonly implement per-user or per-role authorization checks via nonce verification and capability checks using the current_user_can() function. The absence or misconfiguration of such checks allows the application to process requests without verifying that the requesting user has legitimate permission to access or modify the targeted resources. This type of flaw is particularly common in dashboard and note-taking functionality where granular access controls are often assumed but not explicitly implemented.
Affected Products
Sticky Notes for WP Dashboard plugin (CPE: wordpress:wb-sticky-notes-plugin) versions 1.2.4 and all earlier versions are affected. The vulnerability applies to the entire release history up to and including version 1.2.4. Additional details and remediation guidance are available from the Patchstack vulnerability database entry referenced in the advisory.
Remediation
Update Sticky Notes for WP Dashboard plugin to a version newer than 1.2.4 to remediate the authorization bypass vulnerability. WordPress administrators should navigate to Plugins > Installed Plugins, locate 'Sticky Notes for WP Dashboard', and click 'Update' if a patched version is available in the WordPress plugin repository. If an update is not yet available from the official repository, temporarily disable the plugin (via Plugins > Installed Plugins > Deactivate) until a security patch is released. Verify the fix by checking the plugin's changelog or the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/wb-sticky-notes/vulnerability/wordpress-sticky-notes-for-wp-dashboard-plugin-1-2-4-broken-access-control-vulnerability for confirmation of patched version availability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today