2446434 – (CVE-2026-3906) CVE-2026-3906 wordpress: WordPress: Unauthorized access to post notes via improper REST API permission check

Bug 2446434 (CVE-2026-3906) - CVE-2026-3906 wordpress: WordPress: Unauthorized access to post notes via improper REST API permission check

Summary: CVE-2026-3906 wordpress: WordPress: Unauthorized access to post notes via imp...

Keywords:
Status:	NEW
Alias:	CVE-2026-3906
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2446479 2446481
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-11 10:01 UTC by OSIDB Bzimport
Modified:	2026-03-11 12:10 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-11 10:01:21 UTC

WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.

Note You need to log in before you can comment on or make changes to this bug.