Description
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded.
References (4)
Core 4
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/auth0/#developers
Product, Vendor Advisory x_refsource_misc
https://auth0.com/docs/cms/wordpress
Third Party Advisory x_refsource_confirm
https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0
Third Party Advisory x_refsource_confirm
https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6v
Scores
CVSS v3
9.8
EPSS
0.0284
EPSS Percentile
84.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-1236
Status
published
Products (1)
auth0/login_by_auth0
< 4.0.0
Published
Apr 01, 2020
Tracked Since
Feb 18, 2026