CVE-2019-20043

NameCVE-2019-20043
DescriptionIn in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4599-1
NVD severitymedium
Debian Bugs946905

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wordpress (PTS)jessie4.1+dfsg-1+deb8u17fixed
jessie (security)4.1.29+dfsg-0+deb8u1fixed
stretch (security), stretch4.7.5+dfsg-2+deb9u5vulnerable
buster5.0.4+dfsg1-1vulnerable
buster (security)5.0.4+dfsg1-1+deb10u1fixed
bullseye, sid5.3.2+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wordpresssource(unstable)5.3.2+dfsg1-1946905
wordpresssourcebuster5.0.4+dfsg1-1+deb10u1DSA-4599-1
wordpresssourcejessie(not affected)

Notes

[jessie] - wordpress <not-affected> (Vulnerable REST API introduced in 4.4)
https://core.trac.wordpress.org/changeset/46893/trunk
https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

Search for package or bug name: Reporting problems