PT-2020-10357 · Auth0+1 · Wp-Auth0+1
Published
2020-02-05
·
Updated
2020-02-07
·
CVE-2019-20173
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Auth0 wp-auth0 plugin versions 3.11.x through 3.11.2
Description
The issue allows for XSS via a
wle parameter associated with the "wp-login.php" endpoint. This affects the Auth0 wp-auth0 plugin for WordPress.Recommendations
For Auth0 wp-auth0 plugin versions 3.11.x through 3.11.2, update to version 3.11.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-login.php" endpoint to minimize the risk of exploitation. Avoid using the
wle parameter in the affected endpoint until the issue is resolved.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wordpress
Wp-Auth0