Search for vulnerabilities
Vulnerability details: VCID-ke32-qerd-c7dm
Vulnerability ID VCID-ke32-qerd-c7dm
Aliases CVE-2019-20043
Summary In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
Status Published
Exploitability 0.5
Weighted Severity 4.5
Risk 2.2
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-269 Improper Privilege Management
System Score Found at
epss 0.01276 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.01276 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.01341 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.0138 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.01766 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
epss 0.01766 https://api.first.org/data/v1/epss?cve=CVE-2019-20043
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2019-20043
cvssv3.1 4.3 https://nvd.nist.gov/vuln/detail/CVE-2019-20043
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2019-20043
https://core.trac.wordpress.org/changeset/46893/trunk
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043
https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
https://seclists.org/bugtraq/2020/Jan/8
https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
https://wpvulndb.com/vulnerabilities/9973
https://www.debian.org/security/2020/dsa-4599
https://www.debian.org/security/2020/dsa-4677
946905 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946905
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVE-2019-20043 https://nvd.nist.gov/vuln/detail/CVE-2019-20043
No exploits are available.
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-20043
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-20043
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.78707
EPSS Score 0.01276
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T10:06:37.057043+00:00 NVD Importer Import https://nvd.nist.gov/vuln/detail/CVE-2019-20043 37.0.0