CVE-2020-5391, CVE-2020-5392, CVE-2020-6753, CVE-2020-7948, CVE-2020-7947: Security Update for WordPress Plugin for Auth0

On this page

Overview
Am I affected?
How to fix that?
Will this update impact my users?

Published: March 31, 2020 CVE numbers: CVE-2020-5391, CVE-2020-5392, CVE-2020-6753, CVE-2020-7948, CVE-2020-7947 Credit: Muhamad Visat

Overview

Auth0 has released a new major version of the WordPress Plugin for Auth0 to address several vulnerabilities. We recommend you review the following security advisories and upgrade to the new major version:

CSRF controls missing for domain field in Auth0 WP plugin: CVE-2020-5391
Stored XSS in Auth0 WP plugin (Settings page): CVE-2020-5392
Stored XSS in Auth0 WP plugin (multiple pages): CVE-2020-6753
CSV injection vulnerabilities in Auth0 WP plugin: CVE-2020-7947
Insecure direct object reference in Auth0 WP plugin: CVE-2020-7948

Am I affected?

Customers using any version of the WordPress Plugin for Auth0 3.11.3 or earlier can be affected.

How to fix that?

Customers using WordPress Plugin for Auth0 need to upgrade to version 4.0.0 or higher.

Will this update impact my users?

The release notes provide more in-depth information about the changes that were made, and the migration instructions provide more in-depth information about the upgrade path.

CVE-2020-15084: Security Update for express-jwt Library

CVE-2020-5263: Security Update for auth0.js Library