Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2019-20043

Date: December 27, 2019

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

Language: PHP

Severity Score

Related Resources (12)

https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
https://wpvulndb.com/vulnerabilities/9973
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20043
https://seclists.org/bugtraq/2020/Jan/8
https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
https://core.trac.wordpress.org/changeset/46893/trunk
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
https://www.debian.org/security/2020/dsa-4677
https://www.debian.org/security/2020/dsa-4599
https://security-tracker.debian.org/tracker/CVE-2019-20043
https://nvd.nist.gov/vuln/detail/CVE-2019-20043
https://www.mend.io/vulnerability-database/CVE-2019-20043

Severity Score

Weakness Type (CWE)

Improper Privilege Management

CWE-269

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us