CVE-2020-4050

LOW

WordPress <5.4.2 - Info Disclosure

Title source: llm
STIX 2.1

Description

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

References (8)

Core 8
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4709
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html

Scores

CVSS v3 3.5
EPSS 0.0242
EPSS Percentile 85.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Details

CWE
CWE-288
Status published
Products (6)
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 31
fedoraproject/fedora 32
wordpress/wordpress 3.7 - 3.7.34
Published Jun 12, 2020
Tracked Since Feb 18, 2026