WP-Safety

Login by Auth0 Security & Risk Analysis

wordpress.org/plugins/auth0

Login by Auth0 provides improved username/password login, Passwordless login, Social login and Single Sign On for all your sites.

10K active installs v4.6.2 PHP 7.4+ WP 6.5.5+ Updated Jul 12, 2024
authenticationmulti-factorsecuritysingle-sign-onsocial
83
B · Generally Safe
CVEs total7
Unpatched0
Last CVEJul 9, 2024
Download
Safety Verdict

Is Login by Auth0 Safe to Use in 2026?

Mostly Safe

Score 83/100

Login by Auth0 is generally safe to use though it hasn't been updated recently. 7 past CVEs were resolved.

7 known CVEsLast CVE: Jul 9, 2024Updated 1yr ago
Risk Assessment

The Auth0 plugin v4.6.2 exhibits a mixed security posture. On the positive side, it demonstrates strong practices in secure coding by exclusively using prepared statements for SQL queries, achieving excellent output escaping rates, and implementing nonce and capability checks on most entry points. The absence of dangerous functions, file operations, and external HTTP requests is also commendable. However, a significant concern arises from the presence of one unprotected AJAX handler, which represents an easily exploitable entry point into the plugin's functionality. The plugin's vulnerability history is a substantial red flag, with a total of seven known CVEs, including one critical and two high-severity issues. While no vulnerabilities are currently unpatched, the recurring pattern of cross-site scripting, authorization bypass, injection, and CSRF vulnerabilities suggests persistent weaknesses in input validation and authorization mechanisms that require ongoing attention. Despite the strong static analysis results for current code, the historical context necessitates a cautious approach.

Key Concerns

  • Unprotected AJAX handler
  • History of 1 critical CVE
  • History of 2 high CVEs
  • History of 4 medium CVEs
  • Common vulnerability types (XSS, Auth Bypass, Injection, CSRF)
Vulnerabilities
7 published

Login by Auth0 Security Vulnerabilities

CVEs by Year

6 CVEs in 2020
2020
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
High
2
Medium
4

7 total CVEs

CVE-2023-6813medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Login by Auth0 <= 4.6.0 - Reflected Cross-Site Scripting via wle

Jul 9, 2024 Patched in 4.6.1 (21d)
CVE-2020-7948medium · 4.3Authorization Bypass Through User-Controlled Key

Login by Auth0 <= 3.11.3 - Insecure Direct Object Reference

Apr 1, 2020 Patched in 4.0.0 (1392d)
CVE-2020-7947critical · 9.8Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Login by Auth0 <= 3.11.3 - CSV Injection

Apr 1, 2020 Patched in 4.0.0 (1392d)
CVE-2020-6753high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Login by Auth0 <= 3.11.3 - Stored Cross-Site Scripting

Apr 1, 2020 Patched in 4.0.0 (1392d)
CVE-2020-5391high · 8.8Cross-Site Request Forgery (CSRF)

Login by Auth0 <= 3.11.3 - Cross-Site Request Forgery

Apr 1, 2020 Patched in 4.0.0 (1392d)
CVE-2020-5392medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Login by Auth0 Plugin <= 3.11.3 - Stored Cross-Site Scripting

Mar 31, 2020 Patched in 4.0.0 (1393d)
CVE-2019-20173medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Login by Auth0 3.11.0 - 3.11.2 - Cross-Site Scripting

Jan 31, 2020 Patched in 3.11.3 (1453d)
Version History

Login by Auth0 Release Timeline

v4.6.2Current
v4.6.1
v4.6.01 CVE
CVE-2023-6813
v4.5.01 CVE
CVE-2023-6813
v4.3.11 CVE
CVE-2023-6813
v4.2.01 CVE
CVE-2023-6813
v4.1.11 CVE
CVE-2023-6813
v4.1.01 CVE
CVE-2023-6813
v4.0.01 CVE
CVE-2023-6813
v3.11.36 CVEs
CVE-2023-6813 CVE-2020-7948 CVE-2020-7947 +3 more
v3.11.27 CVEs
CVE-2023-6813 CVE-2020-7948 CVE-2020-7947 +4 more
v3.11.17 CVEs
CVE-2023-6813 CVE-2020-7948 CVE-2020-7947 +4 more
v3.11.07 CVEs
CVE-2023-6813 CVE-2020-7948 CVE-2020-7947 +4 more
v3.10.07 CVEs
CVE-2023-6813 CVE-2020-7948 CVE-2020-7947 +4 more
v3.9.07 CVEs
CVE-2023-6813 CVE-2020-7948 CVE-2020-7947 +4 more
v3.8.17 CVEs
CVE-2023-6813 CVE-2020-7948 CVE-2020-7947 +4 more
v3.8.07 CVEs
CVE-2023-6813 CVE-2020-7948 CVE-2020-7947 +4 more
v3.7.37 CVEs
CVE-2023-6813 CVE-2020-7948 CVE-2020-7947 +4 more
v3.7.17 CVEs
CVE-2023-6813 CVE-2020-7948 CVE-2020-7947 +4 more
v3.7.07 CVEs
CVE-2023-6813 CVE-2020-7948 CVE-2020-7947 +4 more
Code Analysis
Analyzed Mar 16, 2026

Login by Auth0 Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
1
113 escaped
Nonce Checks
5
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

99% escaped114 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

3 flows
wp_auth0_settings_admin_action_error (WP_Auth0.php:343)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Login by Auth0 Attack Surface

Entry Points5
Unprotected1

AJAX Handlers 4

authwp_ajax_auth0_delete_dataWP_Auth0.php:403
authwp_ajax_auth0_delete_cache_transientWP_Auth0.php:613
authwp_ajax_auth0_rotate_migration_tokenWP_Auth0.php:630
noprivwp_ajax_resend_verification_emailWP_Auth0.php:658

Shortcodes 1

[auth0] WP_Auth0.php:81
WordPress Hooks 38
actionplugins_loadedWP_Auth0.php:58
actioninitWP_Auth0.php:65
actionactivated_pluginWP_Auth0.php:136
filterallowed_redirect_hostsWP_Auth0.php:151
actionlogin_enqueue_scriptsWP_Auth0.php:162
actionwp_enqueue_scriptsWP_Auth0.php:173
actionwidgets_initWP_Auth0.php:180
filterquery_varsWP_Auth0.php:186
filterlogin_messageWP_Auth0.php:204
filterget_avatarWP_Auth0.php:279
actionadmin_action_wpauth0_clear_error_logWP_Auth0.php:305
actionadmin_action_wpauth0_export_settingsWP_Auth0.php:333
actionadmin_action_wpauth0_import_settingsWP_Auth0.php:341
actionadmin_noticesWP_Auth0.php:360
actionprofile_updateWP_Auth0.php:370
actionuser_profile_update_errorsWP_Auth0.php:382
actionvalidate_password_resetWP_Auth0.php:385
actionwoocommerce_save_account_details_errorsWP_Auth0.php:388
actionedit_user_profileWP_Auth0.php:395
actionshow_user_profileWP_Auth0.php:396
actionadmin_menuWP_Auth0.php:466
actionadmin_noticesWP_Auth0.php:516
actionadmin_initWP_Auth0.php:525
actionadmin_enqueue_scriptsWP_Auth0.php:534
actionparse_requestWP_Auth0.php:541
actionadmin_enqueue_scriptsWP_Auth0.php:581
actiontemplate_redirectWP_Auth0.php:589
actionlogin_initWP_Auth0.php:597
actionwp_logoutWP_Auth0.php:605
filterwp_redirectWP_Auth0.php:695
filterlostpassword_urlWP_Auth0.php:724
filterlogin_urlWP_Auth0.php:725
actionlogin_formWP_Auth0.php:744
actionlostpassword_formWP_Auth0.php:745
filterbody_classWP_Auth0.php:761
filterlogin_body_classWP_Auth0.php:762
filterwoocommerce_checkout_login_messageWP_Auth0.php:780
filterwoocommerce_before_customer_login_formWP_Auth0.php:794
Maintenance & Trust

Login by Auth0 Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8
Last updatedJul 12, 2024
PHP min version7.4
Downloads256K

Community Trust

Rating62/100
Number of ratings18
Active installs10K
Alternatives

Login by Auth0 Alternatives

Rublon Multi-Factor Authentication (MFA)

Rublon Multi-Factor Authentication (MFA)

rublon

A
100

Instant account security with effortless multi-factor authentication via Mobile Push, Mobile Passcode (TOTP), WebAuthn/U2F Security Keys, and more.

500 No CVEs
Secufor_OAuth

Secufor_OAuth

wpoauth

A
100

Looking for a budget-friendly alternative to expensive SSO solutions? Our OAuth extension provides the same robust security and provider support as Mi &hellip;

0 No CVEs
All-In-One Security (AIOS) – Security and Firewall

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

A
93

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs
Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Solid Security – Password, Two Factor Authentication, and Brute Force Protection

better-wp-security

A
93

Harden your site security with Login Security, Two-Factor Authentication (2FA), Vulnerability Scanner, Firewall, and more. Formerly iThemes Security.

700K 19 CVEs
Limit Login Attempts

Limit Login Attempts

limit-login-attempts

B
82

Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.

300K 3 CVEs
Developer Profile

Login by Auth0 Developer Profile

Auth0

1 plugin · 10K total installs

67
trust score
Avg Security Score
83/100
Avg Patch Time
1205 days
View full developer profile
Detection Fingerprints

How We Detect Login by Auth0

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/auth0/assets/css/login.css/wp-content/plugins/auth0/assets/css/main.css
Version Parameters
auth0/login.css?ver=auth0-widget/main.css?ver=

HTML / DOM Fingerprints

CSS Classes
avatar-auth0
Data Attributes
data-lock-iddata-access-tokendata-id-tokendata-domaindata-client-iddata-redirect-uri+6 more
JS Globals
WP_Auth0_LockAuth0
Shortcode Output
[auth0]
FAQ

Frequently Asked Questions about Login by Auth0