CVE-2021-24804
Description
The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover.
CWE
- CWE-352 — CWE-352 Cross-Site Request Forgery (CSRF)
Affected
- Unknown / Simple JWT Login – Login and Register to WordPress using JWT — v=3.2.1 <3.2.1 [affected]
CVSS
- (none)
References
Source
cvelistV5-main/cves/2021/24xxx/CVE-2021-24804.json