Your message dated Wed, 18 Mar 2026 11:49:48 +0000
with message-id <[email protected]>
and subject line Bug#1131148: fixed in wordpress 6.9.4+dfsg1-1
has caused the Debian Bug report #1131148,
regarding wordpress: CVE-2026-3906
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1131148: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131148
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: wordpress
Version: 6.9+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for wordpress.
CVE-2026-3906[0]:
| WordPress core is vulnerable to unauthorized access in versions 6.9
| through 6.9.1. The Notes feature (block-level collaboration
| annotations) was introduced in WordPress 6.9 to allow editorial
| comments directly on posts in the block editor. However, the REST
| API `create_item_permissions_check()` method in the comments
| controller did not verify that the authenticated user has
| `edit_post` permission on the target post when creating a note. This
| makes it possible for authenticated attackers with Subscriber-level
| access to create notes on any post, including posts authored by
| other users, private posts, and posts in any status.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-3906
https://www.cve.org/CVERecord?id=CVE-2026-3906
[1] https://core.trac.wordpress.org/changeset/61888
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: wordpress
Source-Version: 6.9.4+dfsg1-1
Done: Craig Small <[email protected]>
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <[email protected]> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Mar 2026 22:21:35 +1100
Source: wordpress
Architecture: source
Version: 6.9.4+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Craig Small <[email protected]>
Changed-By: Craig Small <[email protected]>
Closes: 1110356 1131148
Changes:
wordpress (6.9.4+dfsg1-1) unstable; urgency=medium
.
* New upstream security release Closes: #1131148
- Check permissions on edit notes CVE-2026-3906
* Update setup-mysql script Closes: #1110356
Checksums-Sha1:
e8a16ce4aa66d20a34fdcc2c467ecd751bf5c671 2422 wordpress_6.9.4+dfsg1-1.dsc
d94b8ac5762f168cf96cd8bd8b700689ea5d1478 22386588
wordpress_6.9.4+dfsg1.orig.tar.xz
2846272ae9efb0e9d078d3e1060acc1924023056 6913884
wordpress_6.9.4+dfsg1-1.debian.tar.xz
85b57c2a47f45d5244a70d393af4904778533890 7644
wordpress_6.9.4+dfsg1-1_amd64.buildinfo
Checksums-Sha256:
a1a57364df4ae0c9261b2170d8c1b93cceac44c0c089e7008b31818b73904e91 2422
wordpress_6.9.4+dfsg1-1.dsc
5133312566d31d5d6f5b02034bc5a90416485e044ab196d71e50ba3f9d9fe435 22386588
wordpress_6.9.4+dfsg1.orig.tar.xz
7f96d5284c9680f878f116be3a68cdf1e03c445f6966312053ba3efd3acfa01f 6913884
wordpress_6.9.4+dfsg1-1.debian.tar.xz
200f046223a8e87c2a8e7a2e1fffbd24f05c2ffc74d463f46903635f588575bb 7644
wordpress_6.9.4+dfsg1-1_amd64.buildinfo
Files:
5c631f4f38c3be1cb4a607f48142801a 2422 web optional wordpress_6.9.4+dfsg1-1.dsc
3e5f6416e08c74c569c4e55837e018da 22386588 web optional
wordpress_6.9.4+dfsg1.orig.tar.xz
2dde18f76b19d5b2fcb89424f31b5c81 6913884 web optional
wordpress_6.9.4+dfsg1-1.debian.tar.xz
e63663c1fc605c6b579610174599e285 7644 web optional
wordpress_6.9.4+dfsg1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAmm6iyIACgkQAiFmwP88
hOPkxA//YKGKAZk6PbqO51fC2rt57oJjcXr1+YKr2+7k9psoqBQ+unT9SNBXEuQQ
jan9PaNYJkIoiesVnZBQFwu+vRFoRuJlYaVEx2K2h/targBWqVI4tVoq4hyrS0BB
KLErtPrTSlJqzC+qVRlYkpDknUUcaEt/Tt+Wy5oJ0haKcMlIGNxmZ/6pUz0r0i5V
GMoama7tveSJszjqtEnz+/DmR+K7hH3iM/Idh9VwqxxKs73FgZEXKtG1Bfji5ze7
NG7LoqogcbQOcNv9O5YDgsKi3YNMLw5nK2VJ1jD+hYyke3fxov5LU1MRBkCCUuSe
scdBInDJf0kwQPE5Qwt+PoHKQWHgwuEAPSE+Rb/ZnxM7+BSYmlgMZIVYWfJiY08o
Ha+1em2cbHdNj3b+MpZ0YDxXZzoTbbKNaNox3l4kSDlKAQaaXmuomDsy5JNvXIOY
9VIF4a+pAz2ZPOqGWE4SuRJC4WBaDdPmmaX0PAaV6HNp8mkHEXpftVE/JoXjjSiA
xL9AKDP3XHBsVRLLx/B0ejhJYGSqJEDC7x0uSy6BplqHRhaEkX5gzOThTZrCdl54
DfyF+kQzD/p1y1FsFN6L18WmUxEgYH3YjqUF9oTOa/KgQpID7AQxnJFoyvRqD6CS
ZCBWRT6iO8RhmzISgYr5LZ2+wq243kfAQ6mJ98EnxAv/KP10P4Q=
=lgOl
-----END PGP SIGNATURE-----
pgp6hkDeyz8P9.pgp
Description: PGP signature
--- End Message ---
