PT-2025-51935 · WordPress+1 · Auth0/Wordpress+3
Iaf4R
+1
·
Published
2025-12-17
·
Updated
2026-03-05
·
CVE-2025-68129
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Auth0-PHP versions 8.0.0 through 8.17.0
Auth0/symfony versions 5.0.0 through 5.5.0
Auth0/laravel-auth0 versions 7.0.0 through 7.19.0
Auth0/wordpress plugin versions 5.0.0-BETA0 through 5.4.0
Description
The Auth0-PHP SDK contains a flaw in how access token audience validation is handled. This improper validation can lead to applications incorrectly accepting ID tokens as access tokens. This affects applications built with the Auth0-PHP SDK and those utilizing integrations like Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress that depend on vulnerable versions of the Auth0-PHP SDK.
Recommendations
Update Auth0-PHP to version 8.18.0 or later.
Update Auth0/symfony to a version later than 5.5.0.
Update Auth0/laravel-auth0 to a version later than 7.19.0.
Update Auth0/wordpress plugin to a version later than 5.4.0.
Exploit
Fix
Incorrect Authorization
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Auth0-Php
Auth0/Laravel-Auth0
Auth0/Symfony
Auth0/Wordpress