QwikSec

Security Database

CVE

CWE

Training

CVE-2021-24998

Published: Dec 27, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.

Vendor	Product	Versions
Unknown	Simple JWT Login	affected `0 - < 3.3.0`

References

https://wpscan.com/vulnerability/1cca404e-766a-43ab-b41f-77d6a3b282fb

exploit

vdb-entry

technical-description

https://plugins.trac.wordpress.org/changeset/2613782

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.