CVE-2021-24998

The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle  PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
WPScanCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
VendorProductVersion
simple_jwt_login_projectsimple_jwt_login
𝑥
< 3.3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://plugins.trac.wordpress.org/changeset/2613782
https://wpscan.com/vulnerability/1cca404e-766a-43ab-b41f-77d6a3b282fb
https://plugins.trac.wordpress.org/changeset/2613782
https://wpscan.com/vulnerability/1cca404e-766a-43ab-b41f-77d6a3b282fb