CVE-2019-20043 : In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordP

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

Published 2019-12-27 08:15:10

Updated 2023-01-20 16:11:09

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2019-20043

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Wordpress » Wordpress
Versions from including (>=) 3.7 and before (<) 5.3.1
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2019-20043

Top countries where our scanners detected CVE-2019-20043

Top open port discovered on systems with this issue 80

IPs affected by CVE-2019-20043 3,178

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2019-20043!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2019-20043

EPSS FAQ

0.30%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 69 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-20043

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	2.8	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2019-20043

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-20043

https://www.debian.org/security/2020/dsa-4599

Debian -- Security Information -- DSA-4599-1 wordpress
Third Party Advisory

CVEs referencing this url
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/

News – WordPress 5.3.1 Security and Maintenance Release – WordPress.org
Release Notes;Vendor Advisory

CVEs referencing this url
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw

Users without "publish_posts" rights can mark sticky/unsticky a post via REST API · Advisory · WordPress/wordpress-develop · GitHub
Third Party Advisory
https://seclists.org/bugtraq/2020/Jan/8

Bugtraq: [SECURITY] [DSA 4599-1] wordpress security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://wpvulndb.com/vulnerabilities/9973

WordPress <= 5.3 - Improper Access Controls
Release Notes;Third Party Advisory
https://core.trac.wordpress.org/changeset/46893/trunk

Changeset 46893 for trunk – WordPress Trac
Patch
https://www.debian.org/security/2020/dsa-4677

Debian -- Security Information -- DSA-4677-1 wordpress
Third Party Advisory

CVEs referencing this url
https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9

Ensure that a user can publish_posts before making a post sticky. · WordPress/wordpress-develop@1d1d5be · GitHub
Third Party Advisory