GHSA-w22c-pw5m-482x: 
PHP vulnerability analysis and mitigation

The Auth0 WordPress plugin contains a vulnerability in its Bulk User Import functionality that affects versions 5.0.0-BETA0 through 5.3.0. The vulnerability stems from improper validation of file-path wrappers and values in the Auth0-PHP SDK (versions 3.3.0 through 8.16.0), which the WordPress plugin relies on. This security issue was discovered by Mohamed Amine Saidani (pwni) and has been assigned CVE-2025-58769 (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 3.3 (Low severity) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N. It is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type) and involves the Bulk User Import endpoint's failure to properly validate file paths and URLs. The attack vector is network-based with high attack complexity and requires high privileges, but no user interaction (GitHub Advisory).

When exploited, the vulnerability could allow affected applications to accept arbitrary file paths or URLs through the Bulk User Import functionality. This could potentially lead to low-level impacts on both confidentiality and integrity of the system, though availability is not affected (GitHub Advisory).

Users are advised to upgrade the Auth0 WordPress plugin to version 5.4.0 or later, which contains the security fix. This update includes an upgraded dependency on auth0/auth0-php to version 8.17.0, which addresses the underlying vulnerability (WordPress Release, GitHub Commit).