Auth0 Security Bulletin CVE 2019-20173
Published: January 31, 2020
CVE number: CVE-2019-20173
Credit: Muhamad Visat
The WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, and 3.11.2 do not properly sanitize the
wle query parameter. This could allow an attacker to run a cross-site scripting (XSS) attack on the login page.
Am I affected?
You are affected by this vulnerability if all of the following apply:
- You are using the WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, or 3.11.2
- The “Original Login Form on wp-login.php” setting under Basic settings is set to either of the two options:
- “Via a link under the Auth0 form” (default option)
- “When "wle" query parameter is present”
How to fix that?
Developers using WordPress Plugin for Auth0 need to upgrade to version 3.11.3 or later.
Will this update impact my users?
No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.