CVE-2019-20173: Security Update for WordPress Plugin for Auth0 wp-auth0

Published: January 31, 2020

CVE number: CVE-2019-20173

Credit: Muhamad Visat

Overview

The WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, and 3.11.2 do not properly sanitize the wle query parameter. This could allow an attacker to run a cross-site scripting (XSS) attack on the login page.

Am I affected?

You are affected by this vulnerability if all of the following apply:

  • You are using the WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, or 3.11.2

  • The “Original Login Form on wp-login.php” setting under Basic settings is set to either of the two options:

    • “Via a link under the Auth0 form” (default option)

    • “When "wle" query parameter is present”

How to fix that?

Developers using WordPress Plugin for Auth0 need to upgrade to version 3.11.3 or later.

Will this update impact my users?

No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.