Insecure Password Generation in Simple JWT Login WordPress Plugin

Insecure Password Generation in Simple JWT Login WordPress Plugin

CVE-2021-24998 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.

Learn more about our Wordpress Pen Testing.