Description
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
References (8)
Core 8
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9973
Release Notes, Vendor Advisory x_refsource_misc
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
Patch x_refsource_misc
https://core.trac.wordpress.org/changeset/46893/trunk
Third Party Advisory x_refsource_misc
https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Jan/8
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4599
Third Party Advisory x_refsource_confirm
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4677
Scores
CVSS v3
4.3
EPSS
0.0117
EPSS Percentile
78.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-269
Status
published
Products (3)
debian/debian_linux
9.0
debian/debian_linux
10.0
wordpress/wordpress
3.7 - 5.3.1
Published
Dec 27, 2019
Tracked Since
Feb 18, 2026