Part of the security audit tracked in #2794.
Plugin: wp-content/plugins/auth0/ — mapped from https://github.com/proudcity/wp-auth0-legacy (currently v3.4.2).
Note: The other Auth0 folder in the tree (wp-content/plugins/wp-auth0/, from proudcity/wp-auth0) is dormant and not loaded. This audit targets the active auth0/ plugin only.
Audit complete (2026-05-06)
Severity counts:
- Critical: 5
- High: 4
- Medium: 6
- Low: 7
- Info / defense-in-depth: 5
- Resolved in v3.4.2: 2
Full findings (with attack scenarios, proof-of-concept payloads, and fix recommendations) are kept in the internal developer notes — not in this issue. See Github Issue Notes/2821 - Security Audit auth0.md in the developer notes folder.
The Critical findings allow any logged-in subscriber to take over the Auth0 configuration, delete other users' MFA, and exfiltrate the full PII export. Treat as urgent.
Part of the security audit tracked in #2794.
Plugin:
wp-content/plugins/auth0/— mapped from https://github.com/proudcity/wp-auth0-legacy (currently v3.4.2).Note: The other Auth0 folder in the tree (
wp-content/plugins/wp-auth0/, fromproudcity/wp-auth0) is dormant and not loaded. This audit targets the activeauth0/plugin only.Audit complete (2026-05-06)
Severity counts:
Full findings (with attack scenarios, proof-of-concept payloads, and fix recommendations) are kept in the internal developer notes — not in this issue. See
Github Issue Notes/2821 - Security Audit auth0.mdin the developer notes folder.The Critical findings allow any logged-in subscriber to take over the Auth0 configuration, delete other users' MFA, and exfiltrate the full PII export. Treat as urgent.