CVE-2026-3906

MEDIUM 4.3

WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.

CWE	CWE-862
Vendor	wordpress foundation
Product	wordpress
Ecosystems	PHP CMS
Industries	WebMedia
Published	Mar 11, 2026
Last Updated	Mar 11, 2026

Stay Ahead of the Next One

Get instant alerts for wordpress foundation wordpress

Be the first to know when new medium vulnerabilities affecting wordpress foundation wordpress are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

WordPress Foundation / WordPress

6.9 ≤ 6.9.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/a69782f0-aa61-4049-8339-7f27f4b6c36b?source=cve core.trac.wordpress.org: https://core.trac.wordpress.org/changeset/61888 core.trac.wordpress.org: https://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php#L562

Credits

kaminuma