GHSA-2f4r-34m4-3w8q: 
PHP vulnerability analysis and mitigation

The Auth0 WordPress plugin vulnerability (CVE-2025-47275) affects applications using versions prior to 5.3.0, discovered by Félix Charette and disclosed on May 15, 2025. The vulnerability specifically impacts applications using the Auth0 WordPress Plugin with version <=5.2.1 and Auth0-PHP SDK versions between 8.0.0-BETA1 and 8.14.0 that have session storage configured with CookieStore (GitHub Advisory).

The vulnerability involves session cookies of applications using the Auth0 WordPress plugin configured with CookieStore having authentication tags that can be brute forced. The vulnerability has received a Critical CVSS v3.1 base score of 9.1, with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. This indicates network-based attack vector, low attack complexity, no privileges required, no user interaction needed, unchanged scope, and high impact on both confidentiality and integrity (GitHub Advisory).

The vulnerability can result in unauthorized access to affected systems. The CVSS scoring indicates high impact on both confidentiality and integrity of the affected systems, though availability is not impacted. The critical severity rating suggests potential significant consequences for affected installations (GitHub Advisory).

The vulnerability has been patched in version 5.3.0 of the Auth0 WordPress plugin. Users are advised to upgrade to this version immediately. Additionally, it is recommended to rotate cookie encryption keys as a precautionary measure. It should be noted that after updating, any previous session cookies will be rejected (GitHub Advisory, WordPress Release).