CVE-2020-4050
set-screen-option filter misuse by plugins leading to privilege escalation in WordPressIn affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
We have discovered 225,015 live websites that are affected by CVE-2020-4050.
Affected Software
| Product |  WordPress |
| Category | Content Management System |
| Vulnerable Domains | 225,015 live websites (100% of WordPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 0 versions ( less than 0.1% of all versions) |
Common Weakness Enumeration
CWE-288 Authentication Bypass Using an Alternate Path or ChannelDetails
- Published - Jun 12, 2020
- Updated - Aug 4, 2024
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2020-4050 United States | 58,254 websites |
 Japan | 24,165 websites |
 Germany | 15,673 websites |
 Russia | 13,928 websites |
 Italy | 10,000 websites |
 France | 9,895 websites |
 GB | 7,794 websites |
 Poland | 6,912 websites |
 Netherlands | 6,024 websites |
 Canada | 5,742 websites |
Website Distribution by TLD
Number of websites using CVE-2020-4050| .com | 91,434 websites |
| .ru | 11,876 websites |
| .org | 10,149 websites |
| .de | 8,340 websites |
| .net | 8,267 websites |
| .it | 6,788 websites |
| .jp | 5,531 websites |
| .pl | 5,160 websites |
| .co.uk | 4,954 websites |
| .nl | 4,656 websites |
Websites affected by CVE-2020-4050
Top websites that are affected by CVE-2020-4050. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.net | United States | *** | |
| ****.org | United States | *,*** | |
| ****************.com | United States | *,*** | |
| **********.com | United States | **,*** | |
| **********.name | United States | **,*** | |
| ******.com | United States | **,*** | |
| *********.net |  Singapore | **,*** | |
| ********.com | France | **,*** | |
| *************.de |  Sweden | **,*** | |
| *************.***.au |  Australia | **,*** |
FAQ
CVE-2020-4050 is Authentication Bypass Using an Alternate Path or Channel in WordPress
A total of 225,015 websites have been identified as vulnerable to CVE-2020-4050, based on global website indexing conducted by WebTechSurvey.
The WordPress is affected by the CVE-2020-4050 vulnerability.
WordPress versions up to 5.4.2 are vulnerable to CVE-2020-4050.
CVE-2020-4050 is resolved in version 5.4.2 of WordPress.
References
- https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
- https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fgg2-gcqc
- https://github.com/WordPress/wordpress-develop/commit/b8dea76b495f0072523106c6ec46b9ea0d2a0920
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
- https://www.debian.org/security/2020/dsa-4709
- https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html
- https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html