Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
Auth0 WordPress Plugin Cookie Encryption Weakness Exposes Session Hijacking Risk
GHSA-vfpx-q664-h93m
Summary
If you're using the Auth0 WordPress Plugin and the Auth0 PHP SDK, you may be vulnerable to hackers guessing your encrypted cookies. This could let them pretend to be your users. To fix this, update the Auth0 WordPress Plugin to version 5.6.0 or later.
What to do
- Update auth0 wordpress to version 5.6.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| auth0 | wordpress | > 5.0.0-BETA0 , <= 5.5.0 | 5.6.0 |
Original title
Auth0 WordPress Plugin has Insufficient Entropy in Cookie Encryption
Original description
### Impact
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
### Am I Affected?
Consumers are affected if their application meets the following preconditions:
- It is using the Auth0 WordPress Plugin, versions between 5.0.0-BETA0 and 5.5.0
- Auth0 WordPress plugin using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.
### Resolution
Upgrade Auth0/wordpress to version 5.6.0 or greater.
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
### Am I Affected?
Consumers are affected if their application meets the following preconditions:
- It is using the Auth0 WordPress Plugin, versions between 5.0.0-BETA0 and 5.5.0
- Auth0 WordPress plugin using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.
### Resolution
Upgrade Auth0/wordpress to version 5.6.0 or greater.
ghsa CVSS3.1
8.2
Vulnerability type
CWE-331
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026