CVE-2019-20043 Information

Description

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0 authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example the contributor role does not have such rights but this allowed them to bypass that. This has been patched in WordPress 5.3.1 along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Reference

https://core.trac.wordpress.org/changeset/46893/trunk https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw https://seclists.org/bugtraq/2020/Jan/8 https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ https://wpvulndb.com/vulnerabilities/9973 https://www.debian.org/security/2020/dsa-4599 https://www.debian.org/security/2020/dsa-4677

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

5.3