The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover.
CPE | Name | Operator | Version |
---|---|---|---|
simple_jwt_login | lt | 3.2.1 |