{"api_version":"1","generated_at":"2026-04-23T11:22:34+00:00","cve":"CVE-2020-7947","urls":{"html":"https://cve.report/CVE-2020-7947","api":"https://cve.report/api/cve/CVE-2020-7947.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-7947","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-7947"},"summary":{"title":"CVE-2020-7947","description":"An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-04-01 13:15:00","updated_at":"2021-07-21 11:39:00"},"problem_types":["CWE-1236"],"metrics":[],"references":[{"url":"https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0","name":"https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Security Update for WordPress Plugin for Auth0","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://auth0.com/docs/cms/wordpress","name":"https://auth0.com/docs/cms/wordpress","refsource":"MISC","tags":["Product","Vendor Advisory"],"title":"Login by Auth0 WordPress Plugin","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://wordpress.org/plugins/auth0/#developers","name":"https://wordpress.org/plugins/auth0/#developers","refsource":"MISC","tags":["Release Notes","Third Party Advisory"],"title":"WordPress › WordPress Auth0 Integration « WordPress Plugins","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6v","name":"https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6v","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Several vulnerabilities in WordPress Plugin for Auth0 · Advisory · auth0/wp-auth0 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-7947","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7947","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"7947","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"auth0","cpe5":"login_by_auth0","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"7947","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"auth0","cpe5":"login_by_auth0","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-7947","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://wordpress.org/plugins/auth0/#developers","refsource":"MISC","name":"https://wordpress.org/plugins/auth0/#developers"},{"url":"https://auth0.com/docs/cms/wordpress","refsource":"MISC","name":"https://auth0.com/docs/cms/wordpress"},{"refsource":"CONFIRM","name":"https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0","url":"https://auth0.com/docs/security/bulletins/2020-03-31_wpauth0"},{"refsource":"CONFIRM","name":"https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6v","url":"https://github.com/auth0/wp-auth0/security/advisories/GHSA-59vf-cgfw-6h6v"}]}},"nvd":{"publishedDate":"2020-04-01 13:15:00","lastModifiedDate":"2021-07-21 11:39:00","problem_types":["CWE-1236"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:auth0:login_by_auth0:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"4.0.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"7947","Ordinal":"168259","Title":"CVE-2020-7947","CVE":"CVE-2020-7947","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"7947","Ordinal":"1","NoteData":"An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"7947","Ordinal":"2","NoteData":"2020-04-01","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"7947","Ordinal":"3","NoteData":"2020-04-01","Type":"Other","Title":"Modified"}]}}}