cbcvebase.
CVE-2020-4050
published 2020-06-12

CVE-2020-4050: In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an…

PriorityP417low3.1CVSS 3.1
AVNACHPRLUINSUCNILAN
EPSS
1.73%
74.7th percentile
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Affected

46 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianwordpress< wordpress 5.4.2+dfsg1-1 (bookworm)wordpress 5.4.2+dfsg1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
wordpresswordpress>= 0 < 5.4.2+dfsg1-15.4.2+dfsg1-1
wordpresswordpress>= 0 < 5.4.2+dfsg1-15.4.2+dfsg1-1
wordpresswordpress>= 0 < 5.4.2+dfsg1-15.4.2+dfsg1-1
wordpresswordpress>= 0 < 5.4.2+dfsg1-15.4.2+dfsg1-1
wordpresswordpress>= 3.7 < 3.7.343.7.34
wordpresswordpress>= 3.8 < 3.8.343.8.34
wordpresswordpress>= 3.9 < 3.9.323.9.32
wordpresswordpress>= 4.0 < 4.0.314.0.31
wordpresswordpress>= 4.1 < 4.1.314.1.31
wordpresswordpress>= 4.2 < 4.2.284.2.28
wordpresswordpress>= 4.3 < 4.3.244.3.24
wordpresswordpress>= 4.4 < 4.4.234.4.23
wordpresswordpress>= 4.5 < 4.5.224.5.22
wordpresswordpress>= 4.6 < 4.6.194.6.19
wordpresswordpress>= 4.7 < 4.7.184.7.18
wordpresswordpress>= 4.8 < 4.8.144.8.14
wordpresswordpress>= 4.9 < 4.9.154.9.15
wordpresswordpress>= 5.0 < 5.0.105.0.10
wordpresswordpress>= 5.1 < 5.1.65.1.6

CVSS provenance

nvdv3.13.1LOWCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv3.1LOW
vendor_debian3.5LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.