[wp-trac] [WordPress Trac] #64198: Notes are accessible to any authenticated user with `edit_posts` capability using query args
WordPress Trac
noreply at wordpress.org
Tue Nov 4 16:35:40 UTC 2025
#64198: Notes are accessible to any authenticated user with `edit_posts` capability
using query args
--------------------------+--------------------
Reporter: desrosj | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 6.9
Component: Comments | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+--------------------
When a site has notes, they are only supposed to be visible to users that
are allowed to edit the post the note was left on.
However, I discovered that ''all'' notes on a given site can be viewed by
any authenticated user with the `edit_posts` capability (Contributor and
higher by default) by adding `comment_type=note` as a query parameter to
the `wp-admin/edit-comments.php` page.
The user is only able to perform actions on notes left on a post they
created, but all notes are visible.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64198>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list