Description: XMLRPC: Don't allow private posts to be sticky.
 CVE-2015-5715
Author: ocean90@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/34151/
Bug: https://core.trac.wordpress.org/ticket/20662
Bug-Debian: https://bugs.debian.org/799140
Applied-Upstream: 4.3.1
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2015-09-19
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/wp-includes/class-wp-xmlrpc-server.php
+++ b/wp-includes/class-wp-xmlrpc-server.php
@@ -4536,8 +4536,8 @@
 
 		$tags_input = isset( $content_struct['mt_keywords'] ) ? $content_struct['mt_keywords'] : null;
 
-		if ( ('publish' == $post_status) ) {
-			if ( ( 'page' == $post_type ) && !current_user_can('publish_pages') )
+		if ( 'publish' == $post_status || 'private' == $post_status ) {
+			if ( 'page' == $post_type && ! current_user_can( 'publish_pages' ) )
 				return new IXR_Error(401, __('Sorry, you do not have the right to publish this page.'));
 			else if ( !current_user_can('publish_posts') )
 				return new IXR_Error(401, __('Sorry, you do not have the right to publish this post.'));
