CVE-2026-3906

Name of the Vulnerable Software and Affected Versions WordPress versions 6.9 through 6.9.1

Description WordPress core is susceptible to unauthorized access. The Notes feature, introduced in WordPress 6.9, allows for collaborative annotations on posts within the block editor. However, the REST API create item permissions check() method within the comments controller did not confirm that the authenticated user possesses edit post permission for the specific post when creating a note. This allows authenticated attackers with Subscriber-level access to create notes on any post, including those authored by others, private posts, and posts in any status.

Recommendations Update WordPress to a version beyond 6.9.1.