CVE-2025-62087 is classified under CWE-862, indicating a missing authorization vulnerability in the Web Builder 143 Sticky Notes for WP Dashboard WordPress plugin, specifically affecting versions up to 1.2.4. This vulnerability arises due to incorrectly configured access control security levels, allowing users with limited privileges (PR:L - privileges required) to access or retrieve data they should not be authorized to view. The CVSS 3.1 base score is 4.3 (medium), with an attack vector of network (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and impacts limited to confidentiality (C:L), with no impact on integrity or availability. The vulnerability enables unauthorized disclosure of sensitive information stored within the Sticky Notes plugin on WordPress dashboards, potentially exposing internal notes or sensitive operational data. Exploitation does not require user interaction and can be performed remotely, but the attacker must have some level of authenticated access. No patches or known exploits are currently available or reported, but the issue is publicly disclosed and assigned a CVE ID. The vulnerability highlights the importance of proper access control enforcement in WordPress plugins that handle sensitive or internal data.

For European organizations, the primary impact is the unauthorized disclosure of potentially sensitive internal notes or operational information stored within the Sticky Notes plugin on WordPress dashboards. This could lead to information leakage that may aid further attacks such as social engineering or reconnaissance. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach can undermine trust and compliance, especially under GDPR where unauthorized data exposure is a serious concern. Organizations relying on this plugin for internal communications or note-taking on WordPress dashboards may face risks of sensitive information exposure to unauthorized users with limited privileges. The medium severity rating indicates that while the risk is not critical, it is significant enough to warrant timely remediation to prevent escalation or chaining with other vulnerabilities.

1. Immediately audit user roles and permissions within WordPress to ensure that only trusted users have access to the Sticky Notes plugin features. 2. Restrict access to the plugin’s dashboard components to the minimum necessary user roles. 3. Monitor and log access to the Sticky Notes plugin to detect any unauthorized attempts or unusual activity. 4. Apply principle of least privilege for all users interacting with the WordPress dashboard. 5. Stay alert for official patches or updates from Web Builder 143 and apply them promptly once released. 6. Consider temporarily disabling or uninstalling the Sticky Notes plugin if sensitive data exposure risk is unacceptable and no patch is available. 7. Conduct regular security reviews of all WordPress plugins, focusing on access control mechanisms. 8. Educate administrators and users about the risks of storing sensitive information in dashboard notes or plugins lacking robust access controls.