WordPress Plugin Vulnerabilities

Simple JWT Login < 3.3.0 - Insecure Password Creation

Description

The plugin can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.

Affects Plugins

Plugin icon
simple-jwt-login
Fixed in 3.3.0

References

CVE
CVE-2021-24998
URL
https://plugins.trac.wordpress.org/changeset/2613782

Classification

Type
INSUFFICIENT CRYPTOGRAPHY
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-326
CVSS
3.7 (low)

Miscellaneous

Original Researcher
Zian Choy
Submitter
Zian Choy
Verified
Yes
WPVDB ID
1cca404e-766a-43ab-b41f-77d6a3b282fb

Timeline

Publicly Published
2021-10-13 (about 4 years ago)
Added
2021-11-24 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2023-11-21
Title
UserPro < 5.1.2 - Insecure Password Reset Mechanism
Published
2023-07-14
Title
All-In-One Security (AIOS) – Security and Firewall < 5.2.0 - Insecure Storage of Password
Published
2023-10-20
Title
SALESmanago < 3.2.5 - Log Injection via Weak Authentication Token
Published
2025-08-28
Title
Password Reset with Code < 0.0.17 - Insecure Password Reset Code Creation
Published
2022-09-21
Title
Passster < 3.5.5.5.2 - Insecure Storage of Password