An issue exists in the Login by Auth0 plugin prior to 4.0.0 for WordPress. A user can perform an insecure direct object reference.
auth0 login by auth0