CVE-2021-24804

Summary

The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover.

Affected Software

VendorProductVersion RangeStatus
UnknownSimple JWT Login – Login and Register to WordPress using JWT3.2.1 < 3.2.1affected

Weaknesses

  • CWE-352: CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CVE Program Container

Additional References

References