{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3906", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-10T19:52:58.673Z", "datePublished": "2026-03-11T09:25:44.130Z", "dateUpdated": "2026-03-11T13:18:53.880Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-11T09:25:44.130Z"}, "affected": [{"vendor": "WordPress Foundation", "product": "WordPress", "versions": [{"version": "6.9", "status": "affected", "lessThanOrEqual": "6.9.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status."}], "title": "WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a69782f0-aa61-4049-8339-7f27f4b6c36b?source=cve"}, {"url": "https://core.trac.wordpress.org/changeset/61888"}, {"url": "https://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php#L562"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "kaminuma"}], "timeline": [{"time": "2026-03-10T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T13:18:15.777023Z", "id": "CVE-2026-3906", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:18:53.880Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3906", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T13:18:15.777023Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:18:39.479Z"}}], "cna": {"title": "WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API", "credits": [{"lang": "en", "type": "finder", "value": "kaminuma"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "WordPress Foundation", "product": "WordPress", "versions": [{"status": "affected", "version": "6.9", "versionType": "semver", "lessThanOrEqual": "6.9.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-10T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a69782f0-aa61-4049-8339-7f27f4b6c36b?source=cve"}, {"url": "https://core.trac.wordpress.org/changeset/61888"}, {"url": "https://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php#L562"}], "descriptions": [{"lang": "en", "value": "WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-11T09:25:44.130Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3906", "state": "PUBLISHED", "dateUpdated": "2026-03-11T13:18:53.880Z", "dateReserved": "2026-03-10T19:52:58.673Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-11T09:25:44.130Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status."}, {"lang": "es", "value": "El n\u00facleo de WordPress es vulnerable a acceso no autorizado en las versiones 6.9 a 6.9.1. La funci\u00f3n de Notas (anotaciones de colaboraci\u00f3n a nivel de bloque) se introdujo en WordPress 6.9 para permitir comentarios editoriales directamente en las publicaciones en el editor de bloques. Sin embargo, el m\u00e9todo `create_item_permissions_check()` de la API REST en el controlador de comentarios no verific\u00f3 que el usuario autenticado tuviera permiso `edit_post` en la publicaci\u00f3n objetivo al crear una nota. Esto hace posible que atacantes autenticados con acceso de nivel de Suscriptor creen notas en cualquier publicaci\u00f3n, incluyendo publicaciones creadas por otros usuarios, publicaciones privadas y publicaciones en cualquier estado."}], "id": "CVE-2026-3906", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-11T10:16:14.217", "references": [{"source": "security@wordfence.com", "url": "https://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php#L562"}, {"source": "security@wordfence.com", "url": "https://core.trac.wordpress.org/changeset/61888"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a69782f0-aa61-4049-8339-7f27f4b6c36b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.9,6.9.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "WordPress", "source": "cna", "vendor": "WordPress Foundation"}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T17:24:21.766678+00:00", "value": {"mitigation_remediation": ["Update to WordPress 6.9.2 or later when it becomes available.", "Verify that the update has been applied by checking the WordPress version number.", "Monitor note activity on posts for any unexpected entries to ensure the vulnerability is no longer exploitable."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Note Creation by Subscriber"}, "threat_synthesis": {"affected_systems": "Any WordPress installation running core versions 6.9 through 6.9.1 is affected. The issue resides in the core code file class\u2011wp\u2011rest\u2011comments\u2011controller.php and does not require any particular plugin or theme.", "description_and_impact": "WordPress core versions 6.9 to 6.9.1 contain a missing authorization check in the REST API endpoint used for creating notes. The method `create_item_permissions_check()` does not verify that an authenticated user has the required `edit_post` capability on the target post. Consequently, any authenticated user, including those with only Subscriber privileges, can create notes on any post, regardless of ownership or visibility. The vulnerability is identified as CWE\u2011862: Missing Authorization.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates a moderate severity. The EPSS score of less than 1\u202f% suggests a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated and can exploit the flaw over the network via the WordPress REST API by submitting a note creation request."}}}}, "created": "2026-03-12T10:06:07.285145+00:00", "updated": "2026-03-20T14:37:28.489560+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}