WordPress core 6.9-6.9.1 unauthorized note creation via REST API
CVE-2026-3906 Published on March 11, 2026
WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API
WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.
Timeline
Disclosed
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-3906 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-3906
Want to know whenever a new CVE is published for WordPress? stack.watch will email you.
Affected Versions
WordPress Foundation WordPress:- Version 6.9, <= 6.9.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.