CVE-2025-12071 is an insecure direct object reference vulnerability in the Frontend User Notes WordPress plugin (versions ≤ 2.1.0). The vulnerability arises from insufficient validation of a user-controlled key in the 'funp_ajax_modify_notes' AJAX endpoint, allowing authenticated users with Subscriber privileges or higher to modify arbitrary notes that they do not own. This bypasses intended authorization controls and compromises data integrity within the plugin's note management functionality.

An attacker with authenticated access at Subscriber level or above can modify notes created by other users. This could lead to unauthorized data modification within the WordPress site where the plugin is installed. There is no indication of confidentiality or availability impact, and no known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider restricting access to the plugin's functionality to trusted users only or disabling the plugin if feasible to prevent exploitation.