GHSA-2f4r-34m4-3w8q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2f4r-34m4-3w8q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-2f4r-34m4-3w8q/GHSA-2f4r-34m4-3w8q.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-2f4r-34m4-3w8q
- Related
- Published
- 2025-05-17T15:07:23Z
- Modified
- 2025-05-17T15:44:38.189857Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Auth0 Wordpress plugin Vulnerable to Brute Force Authentication Tags of CookieStore Sessions
- Details
-
Overview Session cookies of applications using the Auth0 Wordpress plugin configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.
Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications using the Auth0 WordPress Plugin with version <=5.2.1 2. Auth0 WordPress Plugin uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. 3. Session storage configured with CookieStore.
Fix Upgrade Auth0/wordpress plugin to v5.3.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.
Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-287" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-05-17T15:07:23Z" }- References
Affected packages
Packagist / auth0/wordpress
Package
- Name
- auth0/wordpress
- Purl
- pkg:composer/auth0/wordpress
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.3.0