CVE-2025-68129
Auth0 WordPress has Improper Audience Validation via Auth0-PHP SDK Dependency
Description
### Description In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. ### Affected product and versions Projects are affected if they meet the following preconditions: - Applications using the Auth0 Wordpress plugin with version between 5.0.0-BETA0 and 5.4.0, - Auth0 Wordpress plugin uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0. ### Resolution Upgrade Auth0 Wordpress plugin to version 5.5.0 or greater. ### Acknowledgement Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.
How to fix CVE-2025-68129
To remediate CVE-2025-68129, upgrade the affected package to a fixed version below.
- —upgrade to 8.18.0 or later
- —upgrade to 7.20.0 or later
- —upgrade to 5.6.0 or later
- —upgrade to 5.5.0 or later
Is CVE-2025-68129 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 8.0.0, < 8.18.0
- >= 7.0.0, < 7.20.0
- >= 5.0.0, < 5.6.0
- >= 5.0.0-BETA0, < 5.5.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.8 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |