CVE-2019-20043

🗓️ 27 Dec 2019 07:14:16Reported by mitreType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 215 Views🌐 WEB

CVE-2019-20043: Authenticated users can mark posts as sticky via WP REST AP

Reporter	Title	Published	Views	Family All 64
BDU FSTEC	The vulnerability of the class-wp-rest-posts-controller function in the WordPress content management system, related to insecure privilege management, allows attackers to compromise data integrity.	7 May 202000:00	–	bdu_fstec
Circl	CVE-2019-20043	17 Mar 202415:21	–	circl
CNVD	WordPress Unauthorized Operation Vulnerability (CNVD-2020-03944)	27 Dec 201900:00	–	cnvd
Cvelist	CVE-2019-20043	27 Dec 201907:14	–	cvelist
Debian	[SECURITY] [DSA 4599-1] wordpress security update	8 Jan 202005:47	–	debian
Debian	[SECURITY] [DSA 4599-1] wordpress security update	8 Jan 202005:47	–	debian
Debian	[SECURITY] [DSA 4677-1] wordpress security update	6 May 202006:30	–	debian
Debian	[SECURITY] [DSA 4677-1] wordpress security update	6 May 202006:30	–	debian
Debian CVE	CVE-2019-20043	27 Dec 201907:14	–	debiancve
Tenable Nessus	Debian DSA-4599-1 : wordpress - security update	9 Jan 202000:00	–	nessus

NVD

Node

Node

Source	Link
github	www.github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
debian	www.debian.org/security/2020/dsa-4677
core	www.core.trac.wordpress.org/changeset/46893/trunk
seclists	www.seclists.org/bugtraq/2020/Jan/8
wpvulndb	www.wpvulndb.com/vulnerabilities/9973
debian	www.debian.org/security/2020/dsa-4599
github	www.github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
wordpress	www.wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

Parameter	Position	Path	Description	CWE
sticky	path	wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php	Authenticated users without publish rights could mark posts as sticky via the REST API, bypassing permission checks.	CWE-269

17 Jun 2026 02:29Current

6.2Medium risk

Vulners AI Score6.2

CVSS 3.14.3

CVSS 25

EPSS0.02475