SB2020040607 - Multiple vulnerabilities in Login by Auth0 plugin for WordPress

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2020-5391)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in the domain field. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

2) Stored cross-site scripting (CVE-ID: CVE-2020-5392)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the settings page. A remote attacker inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Stored cross-site scripting (CVE-ID: CVE-2020-6753)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data on multiple pages. A remote attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

4) CSV Injection (CVE-ID: CVE-2020-7947)

The vulnerability allows a remote attacker to inject arbitrary code into CSV files.

The vulnerability exists due to insufficient sanitization of user-supplied data when constructing CSV files in the numerous fields. A remote attacker can inject malicious data into the contact form fields that is used later by the plugin to generate CSV files. Such files can be opened with Microsoft Excel built-in functions and utilize its functionality to execute malicious macros.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

5) Improper access control (CVE-ID: CVE-2020-7948)

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to an insecure direct object reference issue. A remote attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information on the target system.

Remediation

Install update from vendor's website.

References

• https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0
• https://github.com/auth0/wp-auth0/releases
• https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6v
• https://wpvulndb.com/vulnerabilities/10160/
• https://auth0.com/docs/cms/wordpress
• https://wordpress.org/plugins/auth0/#developers