Medium severity4.3NVD Advisory· Published Mar 11, 2026· Updated Apr 22, 2026
CVE-2026-3906
CVE-2026-3906
Description
WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API create_item_permissions_check() method in the comments controller did not verify that the authenticated user has edit_post permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.
Affected products
3- osv-coords2 versions
>= 6.9.0, < 6.9.2+ 1 more
- (no CPE)range: >= 6.9.0, < 6.9.2
- (no CPE)range: >= 6.9.0, < 6.9.2
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.