The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that “does not generate cryptographically secure values, and should not be used for cryptographic purposes” according to PHP’s documentation.
[
{
"vendor": "Unknown",
"product": "Simple JWT Login",
"versions": [
{
"status": "affected",
"versionType": "custom",
"version": "0",
"lessThan": "3.3.0"
}
],
"defaultStatus": "unaffected",
"collectionURL": "https://wordpress.org/plugins"
}
]