wordpress is vulnerable to authorization bypass. The vulnerability exists through a missing access control check in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
, allowing an unauthenticated user to post a sticky post through the REST API.
core.trac.wordpress.org/changeset/46893/trunk
github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
github.com/WordPress/WordPress/commit/da95cca74cd3bfec0260ee93b179519a3e740742
seclists.org/bugtraq/2020/Jan/8
wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
wpvulndb.com/vulnerabilities/9973
www.debian.org/security/2020/dsa-4599
www.debian.org/security/2020/dsa-4677