CVE-2020-4050

CVE Database · CVE-2020-4050

CVE-2020-4050

· LOWModified

CVSS v3.1

3.5

EPSS

1.73%

Published

Jun 12, 2020

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Weaknesses (CWE)

CWE-288

Affected Products (23)

wordpress · wordpress (up to 3.7.34)vulnerable

wordpress · wordpress (up to 3.8.34)vulnerable

wordpress · wordpress (up to 3.9.32)vulnerable

wordpress · wordpress (up to 4.0.31)vulnerable

wordpress · wordpress (up to 4.1.31)vulnerable

wordpress · wordpress (up to 4.2.28)vulnerable

wordpress · wordpress (up to 4.3.24)vulnerable