Security Update for WordPress Plugin for Auth0
Published: March 31, 2020
CVE numbers: CVE-2020-5391, CVE-2020-5392, CVE-2020-6753, CVE-2020-7948, CVE-2020-7947
Credit: Muhamad Visat
Auth0 has released a new major version of the WordPress Plugin for Auth0 to address several vulnerabilities.
We recommend you review the following security advisories and upgrade to the new major version:
- CSRF controls missing for domain field in Auth0 WP plugin: CVE-2020-5391
- Stored XSS in Auth0 WP plugin (Settings page): CVE-2020-5392
- Stored XSS in Auth0 WP plugin (multiple pages): CVE-2020-6753
- CSV injection vulnerabilities in Auth0 WP plugin: CVE-2020-7947
- Insecure direct object reference in Auth0 WP plugin: CVE-2020-7948
Am I affected?
Customers using any version of the WordPress Plugin for Auth0 3.11.3 or earlier can be affected.
How to fix that?
Customers using WordPress Plugin for Auth0 need to upgrade to version 4.0.0 or higher.