DEBIAN-CVE-2026-3906

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-3906
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-3906.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-3906
Upstream
  • CVE-2026-3906
Published
2026-03-11T10:16:14.217Z
Modified
2026-03-23T09:00:09.436313Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API create_item_permissions_check() method in the comments controller did not verify that the authenticated user has edit_post permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.

References

Affected packages

Debian:14 / wordpress

Package

Name
wordpress
Purl
pkg:deb/debian/wordpress?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.9.4+dfsg1-1

Affected versions

6.*
6.8.1+dfsg1-1
6.8.3+dfsg1-1
6.9+dfsg1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-3906.json"