Lucene search

K

MitreCVELIST:CVE-2019-20043

HistoryDec 27, 2019 - 7:14 a.m.

CVE-2019-20043

2019-12-2707:14:16

mitre

www.cve.org

6.3 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

68.5%

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

References

core.trac.wordpress.org/changeset/46893/trunk

github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9

github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw

seclists.org/bugtraq/2020/Jan/8

wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

wpvulndb.com/vulnerabilities/9973

www.debian.org/security/2020/dsa-4599

www.debian.org/security/2020/dsa-4677

6.3 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

68.5%

Related for CVELIST:CVE-2019-20043

nvd2 prion1 veracode1 debiancve1 cve2 ubuntucve1 osv2 wpvulndb1 openvas3 nessus2 debian4