> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> CVE-2019-20173: Security Update for WordPress Plugin for Auth0

# CVE-2019-20173: Security Update for WordPress Plugin for Auth0 wp-auth0

**Published**: January 31, 2020

**CVE number**: CVE-2019-20173

**Credit**: Muhamad Visat

## Overview

The WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, and 3.11.2 do not properly sanitize the `wle` query parameter. This could allow an attacker to run a cross-site scripting (XSS) attack on the login page.

## Am I affected?

You are affected by this vulnerability if all of the following apply:

* You are using the WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, or 3.11.2
* The “Original Login Form on wp-login.php” setting under Basic settings is set to either of the two options:

  * “Via a link under the Auth0 form” (default option)
  * “When "wle" query parameter is present”

## How to fix that?

Developers using WordPress Plugin for Auth0 need to upgrade to version 3.11.3 or later.

## Will this update impact my users?

No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.