CVE-2020-4050

In affected versions of WordPress, misuse of the set-screen-option filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Published: Jun 12, 2020
Updated: Apr 14, 2023
CVE: CVE-2020-4050
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.1
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v2:

Severity: Medium
Score: 6
AV:N/AC:M/Au:S/C:P/I:P/A:P

CWEs:

CWE-288

Affected Software
References

Software	From	Fixed in
WordPress / wordpress	3.7	3.7.34
WordPress / wordpress	3.8	3.8.34
WordPress / wordpress	3.9	3.9.32
WordPress / wordpress	4.0	4.0.31
WordPress / wordpress	4.1	4.1.31
WordPress / wordpress	4.2	4.2.28
WordPress / wordpress	4.3	4.3.24
WordPress / wordpress	4.4	4.4.23
WordPress / wordpress	4.5	4.5.22
WordPress / wordpress	4.6	4.6.19
WordPress / wordpress	4.7	4.7.18
WordPress / wordpress	4.8	4.8.14
WordPress / wordpress	4.9	4.9.15
WordPress / wordpress	5.0	5.0.10
WordPress / wordpress	5.1	5.1.6
WordPress / wordpress	5.2	5.2.7
WordPress / wordpress	5.3.0	5.3.4
WordPress / wordpress	5.4	5.4.2
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x

Vulnerability Database

289,689

CVE-2020-4050