CVE-2019-20043

medium

Description

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

References

Advisories
More

https://www.debian.org/security/2020/dsa-4677

https://www.debian.org/security/2020/dsa-4599

https://wpvulndb.com/vulnerabilities/9973

https://seclists.org/bugtraq/2020/Jan/8

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw

https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9

https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

https://core.trac.wordpress.org/changeset/46893/trunk

Details

Source: Mitre, NVD

Published: 2019-12-27

Updated: 2023-01-20

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.0104