CVE-2019-20043 Information
Share on:Description
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0 authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example the contributor role does not have such rights but this allowed them to bypass that. This has been patched in WordPress 5.3.1 along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Reference
https://core.trac.wordpress.org/changeset/46893/trunk https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw https://seclists.org/bugtraq/2020/Jan/8 https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ https://wpvulndb.com/vulnerabilities/9973 https://www.debian.org/security/2020/dsa-4599 https://www.debian.org/security/2020/dsa-4677
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
LOW
Base Score
NONE
Base Severity
5.3