In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 03:23
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
27 Feb 2023, 18:20
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/ - Release Notes, Vendor Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html - Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html - Mailing List, Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2020/dsa-4709 - Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
|
First Time |
Debian
Debian debian Linux |
Information
Published : 2020-06-12 16:15
Updated : 2023-12-10 13:27
NVD link : CVE-2020-4050
Mitre link : CVE-2020-4050
CVE.ORG link : CVE-2020-4050
JSON object : View
Products Affected
wordpress
- wordpress
debian
- debian_linux
fedoraproject
- fedora
CWE
CWE-288
Authentication Bypass Using an Alternate Path or Channel