Description

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Remediation

References

CVE-2020-4050

Related Vulnerabilities

Drupal Other Vulnerability (CVE-2006-1226)

WordPress Plugin Newsletter Open Redirect (2.6.4.4)

Oracle JRE CVE-2013-5819 Vulnerability (CVE-2013-5819)

WordPress Plugin WP Google Review Slider SQL Injection (6.1)

WordPress Plugin Page Showcaser Boxes Cross-Site Scripting (1.1)

Severity

Low

Classification

CVE-2020-4050 CWE-288 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities