CVE-2025-68129

MEDIUM6.8EPSS 0.09%

Auth0 WordPress has Improper Audience Validation via Auth0-PHP SDK Dependency

發布日:2025/12/17修改日:2026/2/4

也稱為:GHSA-7hh9-gp72-wh7h GHSA-f3r2-88mq-9v4g GHSA-j2vm-wrq3-f7gf GHSA-vvg7-8rmq-92g7

描述

### Description In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. ### Affected product and versions Projects are affected if they meet the following preconditions: - Applications using the Auth0 Wordpress plugin with version between 5.0.0-BETA0 and 5.4.0, - Auth0 Wordpress plugin uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0. ### Resolution Upgrade Auth0 Wordpress plugin to version 5.5.0 or greater. ### Acknowledgement Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.

受影響套件(4)

Packagist/auth0/auth0-php>= 8.0.0, < 8.18.0
Packagist/auth0/login>= 7.0.0, < 7.20.0
Packagist/auth0/symfony>= 5.0.0, < 5.6.0
Packagist/auth0/wordpress>= 5.0.0-BETA0, < 5.5.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

描述

受影響套件(4)

CVSS 分數

參考連結(17)