CVE-2019-20043
Published: 27 December 2019
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
Priority
Status
Package | Release | Status |
---|---|---|
wordpress Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
groovy |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
hirsute |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
impish |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
jammy |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
kinetic |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
lunar |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
mantic |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
noble |
Not vulnerable
(5.3.2+dfsg1-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.3.2+dfsg1-1)
|
|
xenial |
Needs triage
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 4.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
References
- https://core.trac.wordpress.org/changeset/46893/trunk
- https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
- https://wpvulndb.com/vulnerabilities/9973
- https://www.cve.org/CVERecord?id=CVE-2019-20043
- NVD
- Launchpad
- Debian