CVE-2020-7947

CRITICAL

WordPress Login by Auth0 <4.0.0 - CSV Injection

Title source: llm

Description

An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded.

References (4)

[Release Notes, Third Party Advisory] https://wordpress.org/plugins/auth0/#developers

[Product, Vendor Advisory] https://auth0.com/docs/cms/wordpress

[Third Party Advisory] https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0

[Third Party Advisory] https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6v

Scores

CVSS v3 9.8

EPSS 0.0181

EPSS Percentile 82.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (1)

auth0/login_by_auth0 < 4.0.0

Published Apr 01, 2020

Tracked Since Feb 18, 2026