Source: wordpress Version: 6.9+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for wordpress. CVE-2026-3906[0]: | WordPress core is vulnerable to unauthorized access in versions 6.9 | through 6.9.1. The Notes feature (block-level collaboration | annotations) was introduced in WordPress 6.9 to allow editorial | comments directly on posts in the block editor. However, the REST | API `create_item_permissions_check()` method in the comments | controller did not verify that the authenticated user has | `edit_post` permission on the target post when creating a note. This | makes it possible for authenticated attackers with Subscriber-level | access to create notes on any post, including posts authored by | other users, private posts, and posts in any status. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-3906 https://www.cve.org/CVERecord?id=CVE-2026-3906 [1] https://core.trac.wordpress.org/changeset/61888 Regards, Salvatore
