CVE-2019-20043
N/A
N/A
Summary
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://wpvulndb.com/vulnerabilities/9973
- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
- https://core.trac.wordpress.org/changeset/46893/trunk
- https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
- https://seclists.org/bugtraq/2020/Jan/8
- https://www.debian.org/security/2020/dsa-4599
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
- https://www.debian.org/security/2020/dsa-4677
References
- https://wpvulndb.com/vulnerabilities/9973
- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
- https://core.trac.wordpress.org/changeset/46893/trunk
- https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
- https://seclists.org/bugtraq/2020/Jan/8
- https://www.debian.org/security/2020/dsa-4599
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
- https://www.debian.org/security/2020/dsa-4677
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.