CVE-2019-20173: Security Update for WordPress Plugin for Auth0 wp-auth0

On this page

Overview
Am I affected?
How to fix that?
Will this update impact my users?

Published: January 31, 2020 CVE number: CVE-2019-20173 Credit: Muhamad Visat

Overview

The WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, and 3.11.2 do not properly sanitize the wle query parameter. This could allow an attacker to run a cross-site scripting (XSS) attack on the login page.

Am I affected?

You are affected by this vulnerability if all of the following apply:

You are using the WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, or 3.11.2
The “Original Login Form on wp-login.php” setting under Basic settings is set to either of the two options:
- “Via a link under the Auth0 form” (default option)
- “When “wle” query parameter is present”

How to fix that?

Developers using WordPress Plugin for Auth0 need to upgrade to version 3.11.3 or later.

Will this update impact my users?

No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.

CVE-2019-7644: Security Vulnerability in Auth0-WCF-Service-JWT

CVE-2018-15121: Security Vulnerability in auth0-aspnet and auth0-aspnet-owin