Unrated severityNVD Advisory· Published Dec 27, 2019· Updated Aug 5, 2024
CVE-2019-20043
CVE-2019-20043
Description
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/WordPressdescription
- Range: 3.7 <= version < 5.3.1
Patches
Vulnerability mechanics
References
8- www.debian.org/security/2020/dsa-4599mitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2020/dsa-4677mitrevendor-advisoryx_refsource_DEBIAN
- core.trac.wordpress.org/changeset/46893/trunkmitrex_refsource_MISC
- github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9mitrex_refsource_MISC
- github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gwmitrex_refsource_CONFIRM
- seclists.org/bugtraq/2020/Jan/8mitremailing-listx_refsource_BUGTRAQ
- wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/9973mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.