QwikSec

Security Database

CVE

CWE

Training

CVE-2019-20043

Published: Dec 27, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://wpvulndb.com/vulnerabilities/9973

x_refsource_MISC

https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

x_refsource_MISC

https://core.trac.wordpress.org/changeset/46893/trunk

x_refsource_MISC

https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9

x_refsource_MISC

20200108 [SECURITY] [DSA 4599-1] wordpress security update

mailing-list

x_refsource_BUGTRAQ

vendor-advisory

x_refsource_DEBIAN

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw

x_refsource_CONFIRM

vendor-advisory

x_refsource_DEBIAN

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.