WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Simple JWT Login < 3.3.0 - Insecure Password Creation

Description

The plugin can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle  PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.

Affects Plugins

simple-jwt-login
Fixed in version 3.3.0

References

CVE
CVE-2021-24998
URL
https://plugins.trac.wordpress.org/changeset/2613782

Classification

Type

INSUFFICIENT CRYPTOGRAPHY

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-326

Miscellaneous

Original Researcher

Zian Choy

Submitter

Zian Choy

Verified

Yes

WPVDB ID
1cca404e-766a-43ab-b41f-77d6a3b282fb

Timeline

Publicly Published

2021-10-13 (about 7 months ago)

Added

2021-11-24 (about 6 months ago)

Last Updated

2022-04-12 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceDisclosure policy
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us