CVE-2020-4050 — LOW (3.5) — White Hats Nepal

Q: How severe is CVE-2020-4050?

CVE-2020-4050 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-4050?

Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

CVSS Score

3.5

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Wordpress	Wordpress	>= 3.7, < 3.7.34
Fedoraproject	Fedora	31
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-288

References

https://github.com/WordPress/wordpress-develop/commit/b8dea76b495f0072523106c6ecPatch
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fggThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00000.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00011.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-releRelease NotesVendor Advisory
https://www.debian.org/security/2020/dsa-4709Third Party Advisory
https://github.com/WordPress/wordpress-develop/commit/b8dea76b495f0072523106c6ecPatch
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fggThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00000.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00011.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-releRelease NotesVendor Advisory

FAQ

What is CVE-2020-4050?

CVE-2020-4050 is a vulnerability with a CVSS score of 3.5 (LOW). In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse...

How severe is CVE-2020-4050?

CVE-2020-4050 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-4050?

Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress, Fedoraproject Fedora, Debian Debian Linux.