CVE-2021-24998

HIGH

Simple JWT Login WP <3.3.0 - Info Disclosure

Title source: llm

Description

The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.

References (2)

[Third Party Advisory] https://wpscan.com/vulnerability/1cca404e-766a-43ab-b41f-77d6a3b282fb

[Patch, Third Party Advisory] https://plugins.trac.wordpress.org/changeset/2613782

Scores

CVSS v3 7.5

EPSS 0.0021

EPSS Percentile 42.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-330

Status published

Products (1)

simple_jwt_login_project/simple_jwt_login < 3.3.0

Published Dec 27, 2021

Tracked Since Feb 18, 2026