CVE-2020-4050

LOW

WordPress <5.4.2 - Info Disclosure

Title source: llm

Description

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

References (8)

[Patch] https://github.com/WordPress/wordpress-develop/commit/b8dea76b495f0072523106c6ec46b9ea0d2a0920

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fgg2-gcqc

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html

[Release Notes, Vendor Advisory] https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/

[Third Party Advisory] https://www.debian.org/security/2020/dsa-4709

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/

Scores

CVSS v3 3.5

EPSS 0.0242

EPSS Percentile 84.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Classification

CWE

CWE-288

Status published

Affected Products (6)

wordpress/wordpress < 3.7.34

fedoraproject/fedora

fedoraproject/fedora

debian/debian_linux

debian/debian_linux

debian/debian_linux

Timeline

Published Jun 12, 2020

Tracked Since Feb 18, 2026