WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Simple JWT Login < 3.3.0 - Insecure Password Creation

Description

The plugin can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle  PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.

Affects Plugins

simple-jwt-login
Fixed in version 3.3.0

References

CVE
CVE-2021-24998
URL
https://plugins.trac.wordpress.org/changeset/2613782

Classification

Type

INSUFFICIENT CRYPTOGRAPHY

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-326

Miscellaneous

Original Researcher

Zian Choy

Submitter

Zian Choy

Verified

Yes

WPVDB ID
1cca404e-766a-43ab-b41f-77d6a3b282fb

Timeline

Publicly Published

2021-10-13 (about 7 months ago)

Added

2021-11-24 (about 6 months ago)

Last Updated

2022-04-12 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin