vulnerability
WordPress Plugin: simple-jwt-login: CVE-2021-24998: Inadequate Encryption Strength
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Oct 13, 2021 | May 15, 2025 | May 4, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Oct 13, 2021
Added
May 15, 2025
Modified
May 4, 2026
Description
The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.
Solution
simple-jwt-login-plugin-cve-2021-24998
References
- https://www.cve.org/CVERecord?id=CVE-2021-24998
- https://www.wordfence.com/threat-intel/vulnerabilities/id/defd82dd-bda0-4f0c-88cb-4db983953097?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-11910
- CVE-2021-24998
- https://attackerkb.com/topics/CVE-2021-24998
- CWE-330
- EUVD-EUVD-2021-11910
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.