CVE-2023-6813

Name of the Vulnerable Software and Affected Versions Login by Auth0 plugin for WordPress versions up to, and including, 4.6.0

Description The issue is related to Reflected Cross-Site Scripting via the wle parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The wle parameter can be passed to the WordPress login page by end users, and under specific conditions, it could potentially accept an arbitrary string that would be improperly rendered, potentially allowing for a cross-site scripting (XSS) attack on the login page.

Recommendations To resolve the issue, please upgrade to version 4.6.1 of the Login by Auth0 plugin for WordPress. As a temporary workaround, consider restricting the use of the wle parameter to minimize the risk of exploitation. Avoid using the wle parameter in the affected login page until the issue is resolved.