Description

WordPress Plugin Simple JWT Login-Login and Register to WordPress using JWT is using the str_shuffle PHP function to generate user passwords, that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation. WordPress Plugin Simple JWT Login-Login and Register to WordPress using JWT version 3.2.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 3.3.0 or latest

References

https://plugins.trac.wordpress.org/changeset/2613782

Related Vulnerabilities

WordPress Plugin open-flash-chart-core Remote Code Execution (0.4)

WordPress Credentials Management Errors Vulnerability (CVE-2009-2762)

WordPress Plugin Staff Directory:Company Directory Cross-Site Request Forgery (3.6)

Zenphoto Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2010-4907)

WordPress Plugin TheCartPress eCommerce Shopping Cart 'tcp_class_path' Parameter Remote File Include (1.1.1)

Severity

High

Classification

CVE-2021-24998 CWE-326 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update