Sticky Notes for WP Dashboard Vulnerability (Medium) – CVE-2025-62087

Sticky Notes for WP Dashboard Vulnerability (Medium) – CVE-2025-62087

by | Feb 25, 2026 | Plugins

Attack Vectors

CVE-2025-62087 affects the Sticky Notes for WP Dashboard WordPress plugin (slug: wb-sticky-notes) in versions 1.2.4 and earlier. This is a Medium-severity issue (CVSS 4.3, vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

An attacker must be authenticated to your WordPress site (for example, a subscriber-level account or higher). In organizations that allow user registrations, run campaigns with customer/community logins, or maintain many internal accounts, this expands the pool of potential misuse beyond administrators.

Security Weakness

The vulnerability is caused by a missing authorization (capability) check on a plugin function. In practical terms, the plugin does not adequately confirm that the logged-in user has the right permissions before allowing a protected action.

Because the weakness is authorization-related (not a “break-in without credentials” flaw), it commonly shows up as an “inside-the-perimeter” risk: any compromised low-privilege account (or an account created through open registration) can potentially be used to trigger the unauthorized behavior.

Technical or Business Impacts

This issue enables authenticated attackers to perform an unauthorized action in affected versions of Sticky Notes for WP Dashboard. While the published details indicate integrity impact is limited (CVSS indicates I:L with no confidentiality or availability impact), unauthorized changes in the WordPress dashboard environment can still create real business risk.

For leadership and compliance teams, the primary concerns are: loss of control over administrative workflows, unapproved changes that may disrupt internal operations, and audit/compliance friction if you must explain how a low-privilege account could perform actions that should have been restricted. Even “limited” integrity issues can translate into time-consuming incident response, stakeholder communications, and reduced confidence in site governance.

Remediation: Update the plugin to Sticky Notes for WP Dashboard 1.2.5 or a newer patched version. Source: Wordfence vulnerability record. CVE record: CVE-2025-62087.

Similar Attacks

Authorization gaps in WordPress plugins are a recurring pattern and are frequently used to turn “basic access” into “unapproved actions.” Examples of real-world WordPress plugin security issues include:

WP GDPR Compliance plugin vulnerability (Wordfence analysis)
File Manager WP plugin zero-day (Wordfence analysis)

Vantage Vulnerability (Medium) – CVE-2026-5070

by

Attack Vectors CVE-2026-5070 is a Medium severity vulnerability (CVSS 6.4) affecting the Vantage WordPress theme (slug: vantage) in versions up to and including 1.20.32. It enables authenticated users with Contributor access or higher to inject malicious script into a...

WP Docs Vulnerability (Medium) – CVE-2026-3878

by

Attack Vectors CVE-2026-3878 is a Medium severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the WP Docs WordPress plugin (wp-docs) in versions 2.2.9 and below. The issue is exploitable by an authenticated user with Subscriber-level access or...

Recent Comments

    WPFore Subscribers