Lucene search

K

GoogleOSV:CVE-2019-20043

HistoryDec 27, 2019 - 8:15 a.m.

CVE-2019-20043

2019-12-2708:15:09

Google

osv.dev

8

AI Score

6.3

Confidence

Low

EPSS

0.003

Percentile

68.4%

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

References

core.trac.wordpress.org/changeset/46893/trunk

github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9

github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw

seclists.org/bugtraq/2020/Jan/8

wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

wpvulndb.com/vulnerabilities/9973

www.debian.org/security/2020/dsa-4599

www.debian.org/security/2020/dsa-4677

AI Score

6.3

Confidence

Low

EPSS

0.003

Percentile

68.4%

Related for OSV:CVE-2019-20043

veracode1 debiancve1 cve2 prion1 nvd2 cvelist1 ubuntucve1 wpvulndb1 openvas3 debian4 nessus2 osv1