CVE-2019-20043

MEDIUM Year: 2019
CVSS v3 Score
4.3
Medium
CVSS v2 Score
5.0
Medium
Weakness Type
CWE-269
View all →

Vulnerability Description

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

Related Vulnerabilities

CVE-2015-9390

MEDIUM
CVSS:4.3(Medium)

The admin-management-xtended plugin before 2.4.0.1 for WordPress has privilege escalation because wp_ajax functions are mishandled.

CWE-2692015

CVE-2017-10857

MEDIUM
CVSS:4.3(Medium)

Cybozu Office 10.0.0 to 10.6.1 allows authenticated attackers to bypass access restriction to perform arbitrary actions via "Cabinet" function.

CWE-2692017

CVE-2017-1326

MEDIUM
CVSS:4.3(Medium)

IBM Sterling File Gateway does not properly restrict user requests based on permission level. This allows for users to update data related to other users, by manipulating the parameters passed in the ...

CWE-2692017

CVE-2017-15014

MEDIUM
CVSS:4.3(Medium)

OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows authenticated users to download arbitrary content files regardle...

CWE-2692017

CVE-2017-2094

MEDIUM
CVSS:4.3(Medium)

Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to bypass access restriction in Workflow and the "MultiReport" function to alter or delete information via unspecified vectors.

CWE-2692017

CVE-2017-6954

MEDIUM
CVSS:4.3(Medium)

An issue was discovered in includes/component.php in the BuddyPress Docs plugin before 1.9.3 for WordPress. It is possible for authenticated users to edit documents of other users without proper permi...

CWE-2692017