V5 is not available from the Wordpress plugin directory

[robbytx]

Checklist

• [x] I have looked into the Readme and the documentation, and have not found a suitable solution or answer.
• [x] I have searched the issues and have not found a suitable solution or answer.
• [x] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [x] I agree to the terms within the Auth0 Code of Conduct.

Description

Our Wordpress website is administered in the standard low-tech manner, where all plugins and other changes are made through the built-in Wordpress admin UI (/wp-admin/plugins.php).

Although version 5 has been available for over 2.5 years, and version 4 has been considered unsupported for 2 years, the latest version available through the Wordpress admin UI (via the Wordpress plugin marketplace) is only 4.6.2. Also the latest 5.x release published to GitHub are source code only -- they lack a built version of the plugin that could be downloaded and then manually uploaded through the admin UI to upgrade. Therefore, standard Wordpress installations maintained through the admin UI are effectively stuck on an unsupported version of the plugin and unable to upgrade.

Last year (in May), I filed an Auth0 support ticket #02351670 requesting assistance, and I received the following response:

Unfortunately, it's not currently possible to publish a built version in a zip file. Please look into using Composer for this update. We're working to get the Marketplace release of V5 as soon as we can.

Migrating to Composer requires significant technical expertise and investment in tooling + build/deploy infrastructure that is a much higher bar than a few clicks in the admin UI, so this requirement is a non-starter for us, as our technical expertise lies in other areas and our Wordpress site is simply used for hosting some protected content accessible to our user base (whose accounts are managed in Auth0).

Since my ticket was closed, https://community.auth0.com/t/auth0-wordpress-plugin-v4-issues/141062 was published last August recommending that users upgrade to v5 of the plugin, but without mentioning the lack of an upgrade option for users who maintain their Wordpress through the admin UI.

Since 28 months have passed since v4.x became unsupported, and 9 months have passed since Auth0 indicated a marketplace release of v5 will be available "as soon as we can", I'm filing this issue in hopes of finally gaining some traction on this. Please let me know if I should direct this request elsewhere.

Reproduction

Open https://wordpress.org/plugins/auth0/ and observe that version 4.6.2 is the latest version.

Additionally, observe that this is documented method for installing the plugin: https://auth0.com/docs/customize/integrations/cms/wordpress-plugin/install-login-by-auth0:

This plugin can be added to your WordPress site using the Plugins screen in the wp-admin:

1. Log in to an existing WordPress site as an administrator.
2. Go to Plugins > Add New in the admin menu on the left.
3. Search for "Login by Auth0"
4. For the Login by Auth0 plugin, click Install Now, then Activate.

Open https://github.com/auth0/wordpress/releases/tag/5.3.0 and observe that the only assets are "Source code" bundles.

Additional context

This issue is a recreation of #923 (with updated timelines), since that issue was closed as "completed" with the comment that the team is "actively working on it", but there have been no updates for over 4 months, and I am unable to reopen the original issue.

wp-auth0 version

4.6.2

WordPress version

6.8.1

PHP version

8.3

[kishore7snehil]

Hi @robbytx, thanks so much for the detailed report and for patiently following up on this.

You're absolutely right that version 5.x is not currently available through the WordPress plugin marketplace, and this is unfortunately still the case due to a few challenges we’re working through as maintainers.

A few of the blockers we’re facing:

• Build + packaging compliance: The WordPress plugin marketplace has specific requirements for distributed zip bundles that don’t align cleanly with our Composer-based build pipeline. This requires us to manually maintain and validate a separate release flow.

• Plugin metadata & signature validation: Marketplace submission requires some structural and metadata changes (e.g. stable tag syncing, changelog formatting, translation domain declarations) that aren’t enforced when releasing via GitHub alone.

• Testing overhead for legacy environments: Marketplace distribution increases the scope of environments we need to support and test — including setups that use no modern PHP tooling (as in your case). This takes time and coordination we haven’t fully resourced yet.

We completely understand how this limitation impacts low-tech or admin-UI-only WordPress setups, and it’s a valid concern. Our goal is still to make v5.x available on the marketplace — we just haven’t reached the point where we can safely and sustainably do that.

That said, your message is a helpful nudge. I’ve shared this internally again, and we’ll aim to prioritize it more visibly.

In the meantime, if anything changes or we need clarification on your setup when finalizing packaging, we’ll follow up here. Thanks again for the thorough report and for raising this in good faith.

[graham73may]

Hi all,

Coming late to the party here but just wanted to flag that this page is still funnelling people towards version 4.6.2: https://auth0.com/wordpress

The Download plugin button at the top goes to the WordPress plugin directory with 4.6.2. Could this instead go to the Github releases page?

The How it Works section also gives a step by step for installing the plugin from the WordPress plugin directory. Could this instead give steps for uploading a .zip to the WordPress plugin screen?

The docs also seem to be focused on V4, e.g. https://auth0.com/docs/customize/integrations/cms/wordpress-plugin/extend-login-by-auth0

I've just finished implementing 4.6.2 on a site and have only just seen there's a version 5.

Thanks,

[robbytx]

@kishore7snehil any updates on this since June? Has it received any attention in your team's prioritization discussions?

The Wordpress page lists 10,000+ active installations:

And you are starting to get negative reviews:

[kishore7snehil]

Hi @robbytx, thanks for the follow-up and for highlighting the urgency here. You're right to push on this.

Since my last update in June, we've been working through the blockers I mentioned, and I want to give you a concrete update on where we are:

What's ready now:

The v5.4.0 release is built and includes a critical security fix (CVE-2025-58769). I've also prepared a plugin-ready zip that can be manually installed through wp-admin - no Composer required. I can attach this to the GitHub release immediately if that helps your situation.

What's still blocking marketplace deployment:

The challenge we're still working through is that v5 is a complete rewrite, and there's currently no automatic migration path from v4 settings to v5. If we push v5 as the stable version on WordPress.org right now, all 10K+ users would auto-update and lose their Auth0 configuration, requiring manual reconfiguration. That's a breaking change we can't responsibly deploy without either:

1. Building automatic migration tooling, or
2. A very clear communication plan to prepare users

We're also coordinating with our docs team to update the installation guides and ensure users have proper upgrade instructions.

What I'm proposing:

Given the urgency, I'm advocating internally to deploy v5.4.0 to the WordPress.org trunk (not as stable) within the next week or two. This would make v5 available for testing while keeping existing users on v4.6.2 until we have migration support ready. Advanced users could opt into the trunk version, and we'd gather feedback to improve the migration experience before the stable release.

I'm also working on getting pre-built zips attached to all GitHub releases going forward, so manual installation is always an option.

For your immediate needs:

If you need v5 now, I can provide the plugin-ready zip today. You'd need to manually reconfigure your Auth0 settings after installation, but it would get you off v4.6.2. Let me know if that works for you, and I'll make it available.

I completely understand the frustration, and the negative reviews reflect that. I'm pushing to get this resolved as quickly as we can while protecting the existing user base from a breaking auto-update. I'll keep this thread updated as we make progress.

[robbytx]

@kishore7snehil thank you for the update. What you've shared is promising, and I look forward to either (a) upgrading via manual install, or (b) installing directly from Wordpress.org once you have the migration scenarios described.

As for the urgency, CVE-2025-58769 certainly sounds concerning -- does it require administrative privileges to access, or is it exploitable by any authenticated user?

[kishore7snehil]

@robbytx ,Good question on the CVE details. CVE-2025-58769 is specific to the Bulk User Import endpoint in the Auth0-PHP SDK (versions 3.3.0–8.16.0) and has a CVSS score of 3.3 (LOW severity).

To answer your question directly: it requires administrative privileges to exploit and it's not exploitable by regular authenticated users.

The vulnerability affects the file path validation in the bulk import functionality, which is typically only accessible to administrators. Still, it's a security issue we wanted to address promptly, which is why it's included in v5.4.0.

For your use case, if you're not using the bulk user import feature or you have proper admin access controls in place, the immediate risk is minimal. But upgrading to v5.4.0(via manual install) would address it completely.

Let me know if you have other questions about the CVE.