Description

WordPress Plugin Simple JWT Login-Login and Register to WordPress using JWT is using the str_shuffle PHP function to generate user passwords, that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation. WordPress Plugin Simple JWT Login-Login and Register to WordPress using JWT version 3.2.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 3.3.0 or latest

References

https://plugins.trac.wordpress.org/changeset/2613782

Related Vulnerabilities

WordPress Plugin UpdraftPlus WordPress Backup Privilege Escalation (1.23.2)

Oracle JRE CVE-2012-1532 Vulnerability (CVE-2012-1532)

WordPress Plugin Double Opt-In for Download SQL Injection (2.0.9)

WordPress Plugin YouTube Cross-Site Request Forgery (11.8.1)

WordPress Plugin Tracking Code Manager Multiple Vulnerabilities (1.11.1)

Severity

High

Classification

CVE-2021-24998 CWE-326 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update