Bogus CVE. Spam.

From the PoC:

Replace the original DLL (such as Notepad++\plugins\NppExport\NppExport.dll) with a DLL file with the same name containing malicious code

If you replace parts of a program with malware then you can get malware to run. This is true of all software.

One of the NPP maintainers responded with:

Notepad++ & its plugins are installed in “Program Files” directory by default, which means hackers would need admin privileges to replace any plugin. If a hacker gains such privileges, they could also replace all the DLLs in the system32 folder. By the same logic, once Notepad++ is compromised in this way, any applications or executable binary (*.exe & *.dll) on the system could potentially be replaced. Or am I missing somethings?

Which I suppose is true. You could argue it is a way to persist malicious code once you do have access, but it seems unlikely and not that useful. Low severity if anything.

You’d need to have some general attack script that can adjust (or create proxies for) dlls maliciously on the fly, without prior knowledge of which dlls are encountered. Only in that case could the exe maybe detect malicious changes to the dll and stop execution. But a targeted attack using a compromised NPP distribution wouldn’t be covered with such a check.

At first I thought “oh, I wonder if my favourite text editor is affected by a similar bug, and I wonder what actions make it vulnerable.”.

Well, of turns out that the action that makes it vulnerable is installing separate malware with admin privileges. I will do my best to avert that danger, but I wouldn’t class “third party malware with admin privileges can replace part of this program with its own code” as a serious vulnerability in this software specifically.

What a silly article.