CVE-2026-3906

WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php#L562
https://core.trac.wordpress.org/changeset/61888
https://www.wordfence.com/threat-intel/vulnerabilities/id/a69782f0-aa61-4049-8339-7f27f4b6c36b?source=cve

Configurations

No configuration.

History

22 Apr 2026, 21:27

Type	Values Removed	Values Added
Summary		(es) El núcleo de WordPress es vulnerable a acceso no autorizado en las versiones 6.9 a 6.9.1. La función de Notas (anotaciones de colaboración a nivel de bloque) se introdujo en WordPress 6.9 para permitir comentarios editoriales directamente en las publicaciones en el editor de bloques. Sin embargo, el método `create_item_permissions_check()` de la API REST en el controlador de comentarios no verificó que el usuario autenticado tuviera permiso `edit_post` en la publicación objetivo al crear una nota. Esto hace posible que atacantes autenticados con acceso de nivel de Suscriptor creen notas en cualquier publicación, incluyendo publicaciones creadas por otros usuarios, publicaciones privadas y publicaciones en cualquier estado.

11 Mar 2026, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 10:16

Updated : 2026-06-17 10:44

NVD link : CVE-2026-3906

Mitre link : CVE-2026-3906

CVE.ORG link : CVE-2026-3906

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-3906", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-3906", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T13:18:15.777023Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "affected": [{"source": "security@wordfence.com", "affectedData": [{"vendor": "WordPress Foundation", "product": "WordPress", "versions": [{"status": "affected", "version": "6.9", "versionType": "semver", "lessThanOrEqual": "6.9.1"}], "defaultStatus": "unaffected"}]}], "published": "2026-03-11T10:16:14.217", "references": [{"url": "https://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php#L562", "source": "security@wordfence.com"}, {"url": "https://core.trac.wordpress.org/changeset/61888", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a69782f0-aa61-4049-8339-7f27f4b6c36b?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status."}, {"lang": "es", "value": "El n\u00facleo de WordPress es vulnerable a acceso no autorizado en las versiones 6.9 a 6.9.1. La funci\u00f3n de Notas (anotaciones de colaboraci\u00f3n a nivel de bloque) se introdujo en WordPress 6.9 para permitir comentarios editoriales directamente en las publicaciones en el editor de bloques. Sin embargo, el m\u00e9todo `create_item_permissions_check()` de la API REST en el controlador de comentarios no verific\u00f3 que el usuario autenticado tuviera permiso `edit_post` en la publicaci\u00f3n objetivo al crear una nota. Esto hace posible que atacantes autenticados con acceso de nivel de Suscriptor creen notas en cualquier publicaci\u00f3n, incluyendo publicaciones creadas por otros usuarios, publicaciones privadas y publicaciones en cualquier estado."}], "lastModified": "2026-06-17T10:44:24.270", "sourceIdentifier": "security@wordfence.com"}