FKIE_CVE-2026-3906

Vulnerability from fkie_nvd - Published: 2026-03-11 10:16 - Updated: 2026-03-11 13:52
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.
References
security@wordfence.comhttps://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php#L562
security@wordfence.comhttps://core.trac.wordpress.org/changeset/61888
security@wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/a69782f0-aa61-4049-8339-7f27f4b6c36b?source=cve
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status."
    },
    {
      "lang": "es",
      "value": "El n\u00facleo de WordPress es vulnerable a acceso no autorizado en las versiones 6.9 a 6.9.1. La funci\u00f3n de Notas (anotaciones de colaboraci\u00f3n a nivel de bloque) se introdujo en WordPress 6.9 para permitir comentarios editoriales directamente en las publicaciones en el editor de bloques. Sin embargo, el m\u00e9todo `create_item_permissions_check()` de la API REST en el controlador de comentarios no verific\u00f3 que el usuario autenticado tuviera permiso `edit_post` en la publicaci\u00f3n objetivo al crear una nota. Esto hace posible que atacantes autenticados con acceso de nivel de Suscriptor creen notas en cualquier publicaci\u00f3n, incluyendo publicaciones creadas por otros usuarios, publicaciones privadas y publicaciones en cualquier estado."
    }
  ],
  "id": "CVE-2026-3906",
  "lastModified": "2026-03-11T13:52:47.683",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security@wordfence.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-11T10:16:14.217",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://core.trac.wordpress.org/browser/trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php#L562"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://core.trac.wordpress.org/changeset/61888"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a69782f0-aa61-4049-8339-7f27f4b6c36b?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.