10/7/2024
11/7/2024
2/8/2024
CVE-2023-6813: Login by Auth0 <= 4.6.0 - Reflected Cross-Site Scripting via wle
First published: Wed Jul 10 2024(Updated: )
### Impact
The Auth0 WordPress plugin allows site administrators to opt-in to allowing the use of a `wle` parameter, which can be passed to the WordPress login page by end users. When this parameter is supplied using an expected value (which is randomly generated by the plugin, by default), the end user can fallback to using WordPress' native authentication behavior. (This is generally intended as an emergency fallback for administrators to still be able to access their dashboard in the event something goes wrong.)
In previous versions of the plugin, under specific conditions, this parameter could potentially accept an arbitrary string that would be improperly rendered, potentially allowing for a cross-site scripting (XSS) attack on the login page.
### Patches
Please upgrade to v4.6.1 of the plugin to resolve the issue.
Credit: security@wordfence.com security@wordfence.com
Affected Software | Affected Version | How to fix |
---|
composer/auth0/wordpress | <=4.6.0 | 4.6.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/type
- agent/severity
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-x6p7-44rh-m3rr
- alias/CVE-2023-6813
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/description
- agent/event
- collector/nvd-cve
- agent/author
- agent/tags
- collector/mitre-cve
- source/MITRE
- collector/github-advisory
- package-manager/composer
Contact
SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.coBy using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203