Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
Auth0 WordPress Plugin Uses Weak Cookie Encryption
GHSA-vfpx-q664-h93m
Summary
The Auth0 WordPress Plugin has a security weakness that could allow attackers to access user sessions. If you're using the plugin, you should update to the latest version to protect your users' sessions. Update the Auth0 WordPress Plugin to version 5.6.0 or later.
What to do
- Update auth0 auth0/wordpress to version 5.6.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| auth0 | auth0/wordpress | > 5.0.0-BETA0 , <= 5.6.0 | 5.6.0 |
Original title
Auth0 WordPress Plugin has Insufficient Entropy in Cookie Encryption
Original description
### Impact
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
### Am I Affected?
Consumers are affected if their application meets the following preconditions:
- It is using the Auth0 WordPress Plugin, versions between 5.0.0-BETA0 and 5.5.0
- Auth0 WordPress plugin using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.
### Resolution
Upgrade Auth0/wordpress to version 5.6.0 or greater.
In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
### Am I Affected?
Consumers are affected if their application meets the following preconditions:
- It is using the Auth0 WordPress Plugin, versions between 5.0.0-BETA0 and 5.5.0
- Auth0 WordPress plugin using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0.
### Resolution
Upgrade Auth0/wordpress to version 5.6.0 or greater.
osv CVSS3.1
8.2
Vulnerability type
CWE-331
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026