Security Alert Summary
The Notes feature introduced in WordPress 6.9 contains a permissions-check issue in the REST API comments controller. An authenticated user with Subscriber-level access can create notes on any post because the comments controller method that checks permissions did not verify the user has the edit_post capability on the target post. This allows low-privilege users to add annotations to posts they should not be able to modify.
CVE Details
- CVE ID: CVE-2026-3906
- Affected component: WordPress core — Notes feature (block-level collaboration annotations)
- Affected versions: versions 6.9 through 6.9.1
- Published: March 11, 2026 at 10:16:14 AM UTC
- Last modified: March 11, 2026 at 1:52:47 PM UTC
- CVSS v3.1: Base Score 4.3 — MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: LOW (authenticated user, e.g., Subscriber-level)
- User Interaction: NONE
- Scope: UNCHANGED
- Confidentiality Impact: NONE
- Integrity Impact: LOW
- Availability Impact: NONE
- CWE / weakness: CWE-862 (Missing Authorization)
Technical Details
The vulnerability exists because the REST API comments controller did not perform the expected authorization check when creating Notes. Specifically, the create_item_permissions_check() method did not verify that the authenticated user has the edit_post capability on the target post. Notes are created through the comments REST endpoints associated with the block editor Notes feature introduced in WordPress 6.9. Because the permissions check is incomplete, an authenticated user with Subscriber-level privileges can create a note on any post, including posts authored by others, private posts, or posts in any status. The impact is limited to the integrity of post annotations (ability to add content in the form of notes) rather than disclosure of confidential data or disruption of availability.
How This Could Impact Your Website
Consider a site with multiple roles: a site owner, editors who review content, and external contributors who have Subscriber-level accounts for commenting or previewing content. An authenticated subscriber could add notes to drafts or published posts that they do not own. Those notes could contain misleading instructions, unauthorized editorial suggestions, or links that prompt further action by editors or authors. While the CVSS data indicates the primary impact is on integrity (ability to add notes), this can increase the risk of targeted social engineering or phishing if a malicious note is used to influence editorial decisions or embed deceptive links.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update WordPress to a patched version as soon as one is available. Fixed version: Not specified in the CVE entry.
- Review and reduce unnecessary user roles and capabilities, particularly for contributors and subscribers.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and themes to reduce overall attack surface.
- Monitor site activity and audit logs for unusual behavior related to notes, comments, or post edits.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
