CVE-2020-7947 Information

Description

An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn’t sanitized and no input validation is performed before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://auth0.com/docs/cms/wordpress https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0 https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6v https://wordpress.org/plugins/auth0/developers

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8