CVE-2020-5391, CVE-2020-5392, CVE-2020-6753, CVE-2020-7948, CVE-2020-7947: Security Update for WordPress Plugin for Auth0
Published: March 31, 2020
CVE numbers: CVE-2020-5391, CVE-2020-5392, CVE-2020-6753, CVE-2020-7948, CVE-2020-7947
Credit: Muhamad Visat
Overview
Auth0 has released a new major version of the WordPress Plugin for Auth0 to address several vulnerabilities.
We recommend you review the following security advisories and upgrade to the new major version:
CSRF controls missing for domain field in Auth0 WP plugin: CVE-2020-5391
Stored XSS in Auth0 WP plugin (Settings page): CVE-2020-5392
Stored XSS in Auth0 WP plugin (multiple pages): CVE-2020-6753
CSV injection vulnerabilities in Auth0 WP plugin: CVE-2020-7947
Insecure direct object reference in Auth0 WP plugin: CVE-2020-7948
Am I affected?
Customers using any version of the WordPress Plugin for Auth0 3.11.3 or earlier can be affected.
How to fix that?
Customers using WordPress Plugin for Auth0 need to upgrade to version 4.0.0 or higher.
Will this update impact my users?
The release notes provide more in-depth information about the changes that were made, and the migration instructions provide more in-depth information about the upgrade path.