CVE-2021-24804
📋 TL;DR
This vulnerability in the Simple JWT Login WordPress plugin allows attackers to change plugin settings without proper authentication checks. Attackers can modify critical settings like HMAC verification secrets and user registration controls, potentially leading to site takeover. Only WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Simple JWT Login WordPress Plugin
📦 What is this software?
Simple Jwt Login by Simple Jwt Login Project
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers can create admin accounts, modify authentication secrets, and gain full control of the WordPress installation.
Likely Case
Attackers modify plugin settings to enable unauthorized user registration with elevated privileges, leading to backdoor access and potential data compromise.
If Mitigated
With proper nonce validation and access controls, only authenticated administrators can modify settings, preventing unauthorized changes.
🎯 Exploit Status
Exploitation requires tricking a logged-in administrator into performing an action (CSRF attack). The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.1
Vendor Advisory: https://wpscan.com/vulnerability/6f015e8e-462b-4ef7-a9a1-bb91e7d28e37
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Simple JWT Login plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.2.1+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate simple-jwt-login
Implement CSRF Protection
allAdd custom nonce validation to plugin settings pages via custom code or security plugin
🧯 If You Can't Patch
- Restrict admin access to trusted IP addresses only
- Implement web application firewall rules to block CSRF attacks targeting plugin settings endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Simple JWT Login → View version. If version is below 3.2.1, system is vulnerable.Check Version:
wp plugin get simple-jwt-login --field=versionVerify Fix Applied:
Confirm plugin version is 3.2.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin.php?page=simple-jwt-login-settings
- Multiple failed authentication attempts followed by settings modification
Network Indicators:
- CSRF attacks targeting plugin settings endpoints
- Unexpected modifications to plugin configuration
SIEM Query:
source="wordpress" AND (uri="/wp-admin/admin.php?page=simple-jwt-login-settings" OR plugin="simple-jwt-login") AND action="settings_update"