Executive Summary

This vulnerability exists in WordPress core versions 6.9 through 6.9.1 and involves the Notes feature, which allows editorial comments directly on posts in the block editor.

The issue is that the REST API method responsible for creating notes did not properly check whether the authenticated user had permission to edit the target post. As a result, any authenticated user with Subscriber-level access could create notes on any post, including those authored by others, private posts, or posts in any status.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated users with minimal permissions (Subscriber-level) to create notes on posts they should not have access to modify or annotate.

While it does not allow editing or deleting posts, it can lead to unauthorized annotations on private or restricted content, potentially exposing editorial workflows or sensitive information through these notes.

This unauthorized note creation could be used to disrupt editorial processes or inject misleading comments on posts.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized creation of notes via the WordPress REST API by authenticated users with Subscriber-level access. Detection can focus on monitoring REST API requests to the comments endpoint that attempt to create notes on posts without proper permissions.'}, {'type': 'paragraph', 'content': "You can detect attempts to exploit this vulnerability by inspecting HTTP POST requests to the REST API endpoint `/wp/v2/comments` with a payload indicating a note creation (`type` parameter as 'note') and a `post` parameter specifying the target post."}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': 'Using web server logs (e.g., Apache or Nginx), search for POST requests to `/wp-json/wp/v2/comments` with note creation attempts:'}, {'type': 'list_item', 'content': 'grep \'POST /wp-json/wp/v2/comments\' /var/log/apache2/access.log | grep \'"type":"note"\''}, {'type': 'list_item', 'content': 'Using curl to test if unauthorized note creation is possible (should be denied if patched):'}, {'type': 'list_item', 'content': 'curl -X POST -H "Authorization: Bearer <subscriber_token>" -d \'{"type":"note", "post":<post_id>, "content":"test note"}\' https://yourwordpresssite.com/wp-json/wp/v2/comments'}, {'type': 'paragraph', 'content': 'If the response returns an error with code `rest_cannot_create_note` and a message indicating lack of permission, the system is protected. Otherwise, unauthorized note creation may be possible.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately update WordPress core to a version later than 6.9.1 where the authorization check for note creation via the REST API has been implemented.

The patch adds a permission check in the REST API comments controller to ensure that only users with the `edit_post` capability on the target post can create notes, preventing unauthorized note creation.

If immediate updating is not possible, consider temporarily restricting access to the REST API comments endpoints for Subscriber-level users or disabling the Notes feature until the patch can be applied.

Useful 0 Not Useful 0