Vulnerability Description
WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-api/endpoints
- https://core.trac.wordpress.org/changeset/61888
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a69782f0-aa61-4049-833
FAQ
What is CVE-2026-3906?
CVE-2026-3906 is a vulnerability with a CVSS score of 4.3 (MEDIUM). WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments...
How severe is CVE-2026-3906?
CVE-2026-3906 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-3906?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.