2 matches found
CVE-2021-24804 Simple JWT Login < 3.2.1 - Arbitrary Settings Update to Site Takeover via CSRF
The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site...
CVE-2021-24804
CVE-2021-24804 affects the WordPress plugin Simple JWT Login prior to version 3.2.1. The vulnerability is a CSRF/nonce-check bypass in the settings save path, allowing a logged-in administrator to modify critical options (e.g., HMAC verification secret, account registration, and default user role...