Description
WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.
Published: 2026-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Note Creation by Subscriber
Action: Apply Patch
AI Analysis

Impact

WordPress core versions 6.9 to 6.9.1 contain a missing authorization check in the REST API endpoint used for creating notes. The method `create_item_permissions_check()` does not verify that an authenticated user has the required `edit_post` capability on the target post. Consequently, any authenticated user, including those with only Subscriber privileges, can create notes on any post, regardless of ownership or visibility. The vulnerability is identified as CWE‑862: Missing Authorization.

Affected Systems

Any WordPress installation running core versions 6.9 through 6.9.1 is affected. The issue resides in the core code file class‑wp‑rest‑comments‑controller.php and does not require any particular plugin or theme.

Risk and Exploitability

The CVSS base score of 4.3 indicates a moderate severity. The EPSS score of less than 1 % suggests a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated and can exploit the flaw over the network via the WordPress REST API by submitting a note creation request.

Generated by OpenCVE AI on March 17, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to WordPress 6.9.2 or later when it becomes available.
  • Verify that the update has been applied by checking the WordPress version number.
  • Monitor note activity on posts for any unexpected entries to ensure the vulnerability is no longer exploitable.

Generated by OpenCVE AI on March 17, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.
Title WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T13:18:53.880Z

Reserved: 2026-03-10T19:52:58.673Z

Link: CVE-2026-3906

cve-icon Vulnrichment

Updated: 2026-03-11T13:18:39.479Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T10:16:14.217

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-3906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:28Z

Weaknesses