| Name | CVE-2019-20043 |
| Description | In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-4599-1 |
| Debian Bugs | 946905 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| wordpress (PTS) | jessie, jessie (lts) | 4.1.35+dfsg-0+deb8u1 | fixed |
| stretch (security), stretch (lts), stretch | 4.7.23+dfsg-0+deb9u1 | fixed | |
| buster | 5.0.15+dfsg1-0+deb10u1 | fixed | |
| buster (security) | 5.0.21+dfsg1-0+deb10u1 | fixed | |
| bullseye (security), bullseye | 5.7.8+dfsg1-0+deb11u2 | fixed | |
| bookworm | 6.1.1+dfsg1-1 | fixed | |
| trixie | 6.5+dfsg1-1 | fixed | |
| sid | 6.5.2+dfsg1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| wordpress | source | wheezy | (unfixed) | end-of-life | ||
| wordpress | source | jessie | (not affected) | |||
| wordpress | source | stretch | 4.7.5+dfsg-2+deb9u6 | |||
| wordpress | source | buster | 5.0.4+dfsg1-1+deb10u1 | DSA-4599-1 | ||
| wordpress | source | (unstable) | 5.3.2+dfsg1-1 | 946905 |
[jessie] - wordpress <not-affected> (Vulnerable REST API introduced in 4.4)
https://core.trac.wordpress.org/changeset/46893/trunk
https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/