Vulnerability Description
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Auth0 | Login By Auth0 | < 4.0.0 |
Related Weaknesses (CWE)
References
- https://auth0.com/docs/cms/wordpressProductVendor Advisory
- https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0Third Party Advisory
- https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6vThird Party Advisory
- https://wordpress.org/plugins/auth0/#developersRelease NotesThird Party Advisory
- https://auth0.com/docs/cms/wordpressProductVendor Advisory
- https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0Third Party Advisory
- https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6vThird Party Advisory
- https://wordpress.org/plugins/auth0/#developersRelease NotesThird Party Advisory
FAQ
What is CVE-2020-7947?
CVE-2020-7947 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the dat...
How severe is CVE-2020-7947?
CVE-2020-7947 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-7947?
Check the references section above for vendor advisories and patch information. Affected products include: Auth0 Login By Auth0.