PT-2026-32322 — Packagist Auth0/Wordpress

PT-2026-32322 · Packagist · Auth0/Wordpress

Published

2026-04-03

Updated

2026-04-03

CVSS v3.1

8.2

High

Vector

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Impact

In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.

Am I Affected?

Consumers are affected if their application meets the following preconditions:

It is using the Auth0 WordPress Plugin, versions between 5.0.0-BETA0 and 5.5.0
Auth0 WordPress plugin using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.

Resolution

Upgrade Auth0/wordpress to version 5.6.0 or greater.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-331

Related Identifiers

GHSA-VFPX-Q664-H93M

Affected Products

Auth0/Wordpress