WordPress Plugin Vulnerabilities
Simple JWT Login < 3.3.0 - Insecure Password Creation
Description
The plugin can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.
Affects Plugins
Fixed in version 3.3.0
References
Classification
Type
INSUFFICIENT CRYPTOGRAPHY
OWASP top 10
CWE
Miscellaneous
Original Researcher
Zian Choy
Submitter
Zian Choy
Verified
Yes
Timeline
Publicly Published
2021-10-13 (about 11 months ago)
Added
2021-11-24 (about 10 months ago)
Last Updated
2022-04-12 (about 5 months ago)