CVE-2026-3906Missing Authorization in Foundation Wordpress

CWE-862Missing Authorization8 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 92.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
WordpressWordpress Foundation Wordpress
Timeline
PublishedMar 11

Description

WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Sub

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

Debianwordpress/wordpress< 6.9.4+dfsg1-1
CVEListV5wordpress_foundation/wordpress6.96.9.1

🔴Vulnerability Details

3
GHSA
GHSA-6x83-fcf5-r65g: WordPress core is vulnerable to unauthorized access in versions 62026-03-11
CVEList
WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API2026-03-11
OSV
CVE-2026-3906: WordPress core is vulnerable to unauthorized access in versions 62026-03-11

📋Vendor Advisories

1
Debian
CVE-2026-3906: wordpress - WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9....2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-3906 Impact, Exploitability, and Mitigation Steps | Wiz