CVE-2026-3906

Summary

WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API create_item_permissions_check() method in the comments controller did not verify that the authenticated user has edit_post permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.

Affected Software

VendorProductVersion RangeStatus
WordPress FoundationWordPress6.9 <= 6.9.1affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References