Auth0 < 3.11.3 - Unauthenticated Reflected XSS via wle Parameter



Description
" XSS via a wle parameter associated with wp-login.php."
Proof of Concept
WP/wp-login.php?wle=%22%20onEvent%3DX186697040Y2Z%20

Affects Plugin

fixed in version 3.11.3

References

CVE 2019-20173
URL https://auth0.com/docs/security/bulletins/cve-2019-20173

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Views 2744
Verified No
WPVDB ID 10059

Timeline

Publicly Published 2020-01-31 (21 days ago)
Added 2020-02-05 (15 days ago)
Last Updated 2020-02-06 (14 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin