Overview
The WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, and 3.11.2 do not properly sanitize the wle query parameter. This could allow an attacker to run a cross-site scripting (XSS) attack on the login page.
Am I affected?
You are affected by this vulnerability if all of the following apply:
- You are using the WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, or 3.11.2
- The “Original Login Form on wp-login.php” setting under Basic settings is set to either of the two options:
- “Via a link under the Auth0 form” (default option)
- “When "wle" query parameter is present”
How to fix that?
Developers using WordPress Plugin for Auth0 need to upgrade to version 3.11.3 or later.
Will this update impact my users?
No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.
Overview
The WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, and 3.11.2 do not properly sanitize the
wlequery parameter. This could allow an attacker to run a cross-site scripting (XSS) attack on the login page.Am I affected?
You are affected by this vulnerability if all of the following apply:
How to fix that?
Developers using WordPress Plugin for Auth0 need to upgrade to version 3.11.3 or later.
Will this update impact my users?
No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.