Candidate: CVE-2020-4050
PublicDate: 2020-06-12 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4050
 https://core.trac.wordpress.org/changeset/47951
 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fgg2-gcqc
 https://github.com/WordPress/wordpress-develop/commit/b8dea76b495f0072523106c6ec46b9ea0d2a0920
 https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
Description:
 In affected versions of WordPress, misuse of the `set-screen-option`
 filter's return value allows arbitrary user meta fields to be saved. It
 does require an admin to install a plugin that would misuse the filter.
 Once installed, it can be leveraged by low privileged users. This has been
 patched in version 5.4.2, along with all the previously affected versions
 via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18,
 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34,
 3.7.34).
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962685
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N [3.1 LOW]


Patches_wordpress:
upstream_wordpress: released (5.4.2+dfsg1-1)
precise/esm_wordpress: DNE
trusty_wordpress: ignored (out of standard support)
trusty/esm_wordpress: DNE
xenial_wordpress: ignored (end of standard support, was needs-triage)
bionic_wordpress: needs-triage
eoan_wordpress: ignored (reached end-of-life)
focal_wordpress: needs-triage
groovy_wordpress: ignored (reached end-of-life)
hirsute_wordpress: ignored (reached end-of-life)
impish_wordpress: needs-triage
jammy_wordpress: needs-triage
devel_wordpress: needs-triage