CVE-2019-20043

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

Published: Dec 27, 2019
Updated: May 9, 2024
CVE: CVE-2019-20043
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-269

Affected Software
References

Software	From	Fixed in
WordPress / wordpress	3.7	5.3.1
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x

https://core.trac.wordpress.org/changeset/46893/trunk
https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
https://seclists.org/bugtraq/2020/Jan/8
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
https://wpvulndb.com/vulnerabilities/9973
https://www.debian.org/security/2020/dsa-4599
https://www.debian.org/security/2020/dsa-4677

Vulnerability Database

289,599

CVE-2019-20043