WordPress < 5.4.2 - Misuse of set-screen-option Leading to Privilege Escalation



Description
Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation.

Affects WordPresses

fixed in version 5.4.2
fixed in version 5.4.2
fixed in version 5.3.4
fixed in version 5.3.4
fixed in version 5.3.4
fixed in version 5.3.4
fixed in version 5.2.7
fixed in version 5.2.7
fixed in version 5.2.7
fixed in version 5.2.7
fixed in version 5.2.7
fixed in version 5.2.7
fixed in version 5.2.7
fixed in version 5.1.6
fixed in version 5.1.6
fixed in version 5.1.6
fixed in version 5.1.6
fixed in version 5.1.6
fixed in version 5.1.6
fixed in version 5.0.10
fixed in version 5.0.10
fixed in version 4.9.15
fixed in version 4.9.15
fixed in version 4.9.15
fixed in version 4.9.15
fixed in version 4.9.15
fixed in version 4.9.15
fixed in version 4.9.15
fixed in version 4.8.14
fixed in version 4.8.14
fixed in version 4.8.14
fixed in version 4.8.14
fixed in version 4.8.14
fixed in version 4.8.14
fixed in version 4.7.18
fixed in version 4.7.18
fixed in version 4.7.18
fixed in version 4.7.18
fixed in version 4.7.18
fixed in version 4.7.18
fixed in version 4.7.18
fixed in version 4.7.18
fixed in version 4.7.18
fixed in version 4.7.18
fixed in version 4.6.19
fixed in version 4.6.19
fixed in version 4.6.19
fixed in version 4.6.19
fixed in version 4.6.19
fixed in version 4.6.19
fixed in version 4.6.19
fixed in version 4.6.19
fixed in version 4.6.19
fixed in version 4.6.19
fixed in version 4.6.19
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.5.22
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.4.23
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.3.24
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.2.28
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.1.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 4.0.31
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.9.32
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.8.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34
fixed in version 3.7.34

References

CVE 2020-4050
URL https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
URL https://github.com/WordPress/WordPress/commit/dda0ccdd18f6532481406cabede19ae2ed1f575d
URL https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fgg2-gcqc

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Original Researcher Simon Scannell (RIPS Technologies)
Views 1721
Verified No
WPVDB ID 10267

Timeline

Publicly Published 2020-06-11 (28 days ago)
Added 2020-06-11 (28 days ago)
Last Updated 2020-06-13 (26 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin