CVE-2021-24804

CVE-2021-24804 affects the WordPress plugin Simple JWT Login prior to version 3.2.1. The vulnerability is a CSRF/nonce-check bypass in the settings save path, allowing a logged-in administrator to modify critical options (e.g., HMAC verification secret, account registration, and default user role...

CVE-2021-24998

The CVE-2021-24998 entry concerns the WordPress plugin Simple JWT Login (pre-3.3.0). The root cause is the plugin’s password generation using PHP’s non-cryptographically secure functions, specifically the use of str_shuffle to create new user passwords. This enables creation of new WordPress user...