Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Overview
The Auth0 Symfony SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.
Am I Affected?
You are affected by this vulnerability if you meet the following preconditions:
Applications using the Auth0 Symfony SDK, versions between 5.0.0 BETA-0 to 5.0.0.
Auth0 Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.
Fix
Upgrade Auth0/symfony to the latest version (v5.4.0).
Acknowledgement
Okta would like to thank Andreas Forsblom for discovering this vulnerability.
References
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
https://nvd.nist.gov/vuln/detail/CVE-2025-48951
https://github.com/advisories/GHSA-98j6-67v3-mw34
CVSS: CRITICAL (9.3)
June 6th, 2025 (about 1 hour ago)
|
CVE-2025-5701 |
Description: The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
CVSS: CRITICAL (9.8)
June 5th, 2025 (about 14 hours ago)
|
|
|
Description: Overview
The Auth0 Wordpress plugin contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.
Am I Affected?
You are affected by this vulnerability if you meet the following preconditions:
Applications using the Auth0 WordPress plugin, versions between 5.0.0 BETA-0 to 5.0.1.
Auth0 WordPress plugin uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.
Fix
Upgrade the Auth0 WordPress plugin to the latest version (v5.3.0).
References
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
https://nvd.nist.gov/vuln/detail/CVE-2025-48951
https://github.com/advisories/GHSA-862m-5253-832r
CVSS: CRITICAL (9.3) EPSS Score: 0.06%
June 5th, 2025 (1 day ago)
|
|
|
Description: Overview
The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.
Am I Affected?
You are affected by this vulnerability if you meet the following preconditions:
Applications using the Auth0-PHP SDK, versions between 8.0.0-BETA3 to 8.3.0.
Applications using the following SDKs that rely on the Auth0-PHP SDK versions between 8.0.0-BETA3 to 8.3.0:
a. Auth0/symfony,
b. Auth0/laravel-auth0,
c. Auth0/wordpress.
Fix
Upgrade Auth0/Auth0-PHP to 8.3.1.
Acknowledgement
Okta would like to thank Andreas Forsblom for discovering this vulnerability.
References
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
https://nvd.nist.gov/vuln/detail/CVE-2025-48951
https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715
https://github.com/advisories/GHSA-v9m8-9xxp-q492
CVSS: CRITICAL (9.3) EPSS Score: 0.06%
June 4th, 2025 (1 day ago)
|
|
CVE-2025-48951 |
Description: Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.14.0 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.14.0 contains a patch for the issue.
CVSS: CRITICAL (9.3) EPSS Score: 0.06%
June 3rd, 2025 (2 days ago)
|
|
CVE-2025-4797 |
Description: The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address.
CVSS: CRITICAL (9.8) EPSS Score: 0.07%
June 3rd, 2025 (3 days ago)
|
|
CVE-2025-4631 |
Description: The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktend_object endpoint in versions 2.0.6.0 to 2.1.1.3. This makes it possible to trigger the save_object_as_user() function for objects whose '_datatype' is set to 'users',. This allows unauthenticated attackers to write arbitrary strings straight into the user’s wp_capabilities meta field, potentially elevating the privileges of an existing user account or a newly created one to that of an administrator.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
May 31st, 2025 (6 days ago)
|
|
CVE-2025-4607 |
Description: The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. This is due to the use of a weak, low-entropy OTP mechanism in the forget() function. This makes it possible for unauthenticated attackers to initiate a password reset for any user, including administrators, and elevate their privileges for full site takeover.
CVSS: CRITICAL (9.8) EPSS Score: 0.08%
May 31st, 2025 (6 days ago)
|
|
CVE-2025-48336 |
Description: Deserialization of Untrusted Data vulnerability in ThimPress Course Builder allows Object Injection.This issue affects Course Builder: from n/a before 3.6.6.
CVSS: CRITICAL (9.8) EPSS Score: 0.05%
May 29th, 2025 (7 days ago)
|
|
CVE-2025-5058 |
Description: The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
CVSS: CRITICAL (9.8) EPSS Score: 0.18%
May 24th, 2025 (13 days ago)
|