Description The plugin is vulnerable to Insecure Direct Object References (IDOR) in post_id= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises the integrity and privacy of user data.
After attacker create a note, uses the delete option. Intercepts the request and manipulate the post_id= to the victim note.
action=wpdn_delete_note&post_id=<ID-TO-DELETE>&nonce=1aa16d2949