Wordpress Auth0 Login Plugin Update & Security Disclosure

Hello Community members! Auth0 has released a new major version of its WordPress login plugin. This release fixes a number of security vulnerabilities.

Auth0 recommends that users of all versions of the plugin upgrade immediately.

How to update your WordPress Login Plugin:

  • Download the new plugin here.
  • Follow the migration instructions.

New versions of the plugin will be subject to the MIT License Terms.

How many and how serious are the vulnerabilities?

The WordPress login plugin version 4.0.0 fixes five security vulnerabilities. The highest severity is High with a CVSS score of 8.5. The associated CVEs are CVE-2020-7947, CVE-2020-6753, CVE-2020-5392, CVE-2020-5391, and CVE-2020-7948.

Is the new version backwards compatible?

Some features were removed from the plugin configuration section to address security concerns. These are the changelog and release notes.

There is no need to upgrade configuration on Auth0 side or upgrade PSaaS installations.

The update includes a list of changes, including updating to PHP 7, that have the potential to break WordPress Login Plugin sites. Applications that have extensively customized the Wordpress login plugin will require code updates. The release notes provide more in-depth information about the changes that were made.

What are the other changes associated with this new version?

All of the changes for this version can be found in the changelog for 4.0.

How can I upgrade my Auth0 Login plugin?

Auth0 recommends that all users of the plugin upgrade to the new release (version 4.0.0) immediately, regardless of the version they use. You can update either via the WordPress Admin dashboard, or by manually uploading the new version to your WordPress instance.

Update via WordPress Admin Dashboard:

  1. Go to your Wordpress Admin Dashboard
  2. Select “Updates”
  3. The option to update the Auth0 plugin will be available
  4. If the updated version is not showing up, wait a few minutes, and click “Check Again”
  5. If the updated version still doesn’t show up after performing the steps above, follow the instructions for the manual update

Manual Update:

First, download the new plugin here. While manually upgrading the plugin, your users may experience issues logging in. That’s why we advise setting your WordPress site into maintenance mode while you execute the following steps.

  1. Access your WordPress site files using sFTP or SSH.
  2. Create a new directory named auth0-v4 under wp-content/plugins/
  3. Unzip the content of the plugin that you downloaded earlier. By default, it creates an “auth0” folder. and Ccopy the content of your local auth0login-by-auth0-4.0.0 folder into this new auth0-v4 directory.
  4. For backup purposes, rename the existing plugin directory named auth0 to auth0-v3. Please note that doing this will stop logins from working until you perform the next step.
  5. Rename the auth0-v4 directory to auth0. By doing this you are activating Login by Auth0 plugin v4.0.0.
  6. Sign in to your WordPress site administration panel. Go to the Plugins > Installed Plugins and verify that the plugin you upgraded is at the newest version i.e. 4.0.0. If something is not working as expected, you can revert to the previous version of the plugin by switching plugin directory names back.

Questions?

If you find you have any questions related to this topic or others, please feel free to let us know below in the comments section or generate a new Community topic related to this. Thank you!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.