Cast user ID to integer to fix reflected XSS

auth0 · Dec 17, 2019 · 9d7777b · 9d7777b
1 parent d5c5c0d
commit 9d7777b
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Change Log
 
+## [3.7.3](https://github.com/auth0/wp-auth0/tree/3.7.3) (2019-12-17)
+[Full Changelog](https://github.com/auth0/wp-auth0/compare/3.7.1...3.7.3)
+
+**Fixed**
+- Cast user ID to integer to fix reflected XSS
+
 ## [3.7.1](https://github.com/auth0/wp-auth0/tree/3.7.1) (2018-10-08)
 [Full Changelog](https://github.com/auth0/wp-auth0/compare/3.7.0...3.7.1)
 

diff --git a/WP_Auth0.php b/WP_Auth0.php
@@ -2,12 +2,12 @@
 /**
  * Plugin Name: Login by Auth0
  * Description: Login by Auth0 provides improved username/password login, Passwordless login, Social login and Single Sign On for all your sites.
- * Version: 3.7.1
+ * Version: 3.7.3
  * Author: Auth0
  * Author URI: https://auth0.com
  * Text Domain: wp-auth0
  */
-define( 'WPA0_VERSION', '3.7.1' );
+define( 'WPA0_VERSION', '3.7.3' );
 define( 'AUTH0_DB_VERSION', 19 );
 
 define( 'WPA0_PLUGIN_FILE', __FILE__ );

diff --git a/lib/WP_Auth0_EditProfile.php b/lib/WP_Auth0_EditProfile.php
@@ -148,7 +148,7 @@ function DeleteAuth0Data(event) {
 
 	  var data = {
 		'action': 'auth0_delete_data',
-		'user_id': '<?php echo $_GET['user_id']; ?>'
+		'user_id': '<?php echo (int) $_GET['user_id']; ?>'
 	  };
 
 	  var successMsg = "<?php _e( 'Done!', 'wp-auth0' ); ?>";
@@ -191,7 +191,7 @@ function DeleteMFA(event) {
 
 	  var data = {
 		'action': 'auth0_delete_mfa',
-		'user_id': '<?php echo $_GET['user_id']; ?>'
+		'user_id': '<?php echo (int) $_GET['user_id']; ?>'
 	  };
 
 	var successMsg = "<?php _e( 'Done!', 'wp-auth0' ); ?>";