Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Unauthorized Notes Can Be Created in WordPress Posts
CVE-2026-3906
BIT-wordpress-multisite-2026-3906
Summary
A vulnerability in WordPress versions 6.9 through 6.9.1 allows users with Subscriber-level access to write notes on any post, including those they don't own. This could lead to unwanted or private comments being added to a post. Update to WordPress 6.9.2 or later to fix this issue.
What to do
- Update wordpress-multisite to version 6.9.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | wordpress-multisite | > 6.9.0 , <= 6.9.2 | 6.9.2 |
Original title
WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API
Original description
WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
Published: 13 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026