Vulnerability Details : CVE-2021-24998
The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.
Exploit prediction scoring system (EPSS) score for CVE-2021-24998
Probability of exploitation activity in the next 30 days: 0.06%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 25 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-24998
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-24998
-
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Assigned by: contact@wpscan.com (Primary)
-
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Assigned by:
- contact@wpscan.com (Primary)
- nvd@nist.gov (Secondary)
References for CVE-2021-24998
-
https://wpscan.com/vulnerability/1cca404e-766a-43ab-b41f-77d6a3b282fb
Attention Required! | CloudflareThird Party Advisory
-
https://plugins.trac.wordpress.org/changeset/2613782
Changeset 2613782 – WordPress Plugin RepositoryPatch;Third Party Advisory
Products affected by CVE-2021-24998
- cpe:2.3:a:simple_jwt_login_project:simple_jwt_login:*:*:*:*:*:wordpress:*:*