GHSA-vvg7-8rmq-92g7: Auth0 WordPress has Improper Audience Validation via Auth0-PHP SDK Dependency

December 17, 2025

In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.

References

github.com/advisories/GHSA-vvg7-8rmq-92g7
github.com/auth0/wordpress
github.com/auth0/wordpress/commit/b207c6f7fd06507b90c4e6bcc18a857ef9e018de
github.com/auth0/wordpress/releases/tag/5.5.0
github.com/auth0/wordpress/security/advisories/GHSA-vvg7-8rmq-92g7

Code Behaviors & Features

Detect and mitigate GHSA-vvg7-8rmq-92g7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →