CVE-2020-4050

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 5.4.2 WordPress versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34

Description The issue arises from the misuse of the set-screen-option filter's return value, allowing arbitrary user meta fields to be saved. This requires an admin to install a plugin that would misuse the filter, and once installed, it can be leveraged by low-privileged users.

Recommendations For versions prior to 5.4.2, update to version 5.4.2 or later to resolve the issue. For versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34, update to the respective minor release or later to resolve the issue. As a temporary workaround, consider restricting the installation of plugins to prevent potential misuse of the set-screen-option filter until a patch is applied.