CVE-2019-20043

Name of the Vulnerable Software and Affected Versions WordPress versions 3.7 through 5.3.0

Description The issue is related to an authentication error in the class-wp-rest-posts-controller function of the WordPress content management system, allowing users to mark posts as sticky via the REST API. This could be exploited by a remote attacker to impact data integrity. Authenticated users without the rights to publish a post, such as those with the contributor role, could bypass restrictions and mark posts as sticky or unsticky.

Recommendations For WordPress versions 3.7 through 5.3.0, update to version 5.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API endpoint related to post management until the update is applied.