Description

WordPress Plugin Login by Auth0 is prone to multiple vulnerabilities, including cross-site scripting, CSV injection or cross-site request forgery vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, to execute arbitrary commands on the victim's system by the use of Microsoft Excel DDE function, to leak data via maliciously injected hyperlinks, or to perform certain administrative actions and gain unauthorized access to the affected application. WordPress Plugin Login by Auth0 version 3.11.3 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 4.0.0 or latest

References

https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0

https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6v

Related Vulnerabilities

Apache Tomcat Other Vulnerability (CVE-2003-0044)

WordPress Plugin GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership Arbitrary File Upload (1.4.14)

WordPress Plugin WooCommerce Stock Manager Cross-Site Request Forgery (2.5.7)

WordPress Plugin Advanced Contact form 7 DB Information Disclosure (1.1.0)

Play Framework Generation of Error Message Containing Sensitive Information Vulnerability (CVE-2022-31023)

Severity

High

Classification

CVE-2020-5391 CVE-2020-5392 CVE-2020-6753 CVE-2020-7947 CVE-2020-7948 CWE-20 CWE-79 CWE-200 CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update