GSA_kwCzR0hTQS04NjJtLTUyNTMtODMycs4ABIpz

Critical CVSS: 9.3

Permalink JSON

Auth0 Wordpress Plugin vulnerable to Deserialization of Untrusted Data

Affected Packages	Affected Versions	Fixed Versions
packagist:auth0/wordpress	>= 5.0.0-BETA0, <= 5.0.1	5.1.0
0 Dependent packages 0 Dependent repositories 12,534 Downloads total Affected Version Ranges All affected versions 5.0.0, 5.0.0-BETA0, 5.0.0-BETA1, 5.0.1 All unaffected versions 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.11, 2.2.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.5, 3.2.8, 3.2.9, 3.2.10, 3.2.14, 3.2.19, 3.2.21, 3.2.22, 3.2.23, 3.2.24, 3.2.25, 3.3.2, 3.4.0, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.7.0, 3.7.1, 3.7.3, 3.8.0, 3.8.1, 3.9.0, 3.10.0, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 5.1.0, 5.2.0, 5.2.1, 5.3.0

Overview
The Auth0 Wordpress plugin contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.

Am I Affected?
You are affected by this vulnerability if you meet the following preconditions:

Applications using the Auth0 WordPress plugin, versions between 5.0.0 BETA-0 to 5.0.1.
Auth0 WordPress plugin uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.

Fix
Upgrade the Auth0 WordPress plugin to the latest version (v5.3.0).

References:

Identifiers

GHSA-862m-5253-832r

Risk

Severity

Critical

CVSS

CVSS Score: 9.3

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/auth0/auth0-PHP

Date and time

Published

about 2 months ago

Updated

about 2 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories