CVE-2021-24998 – The Simple JWT Login WordPress plugin before ve... (How to Fix)

Q: What is the severity of CVE-2021-24998?

CVE-2021-24998 has a CVSS score of 7.5 (HIGH). The Simple JWT Login WordPress plugin before version 3.3.0 uses PHP's str_shuffle function to generate passwords for new user accounts, which creates predictable, non-cryptographically secure passwords. This allows attackers to potentially guess or brute-force passwords for newly created accounts. Any WordPress site using the vulnerable plugin version is affected.

📋 TL;DR

The Simple JWT Login WordPress plugin before version 3.3.0 uses PHP's str_shuffle function to generate passwords for new user accounts, which creates predictable, non-cryptographically secure passwords. This allows attackers to potentially guess or brute-force passwords for newly created accounts. Any WordPress site using the vulnerable plugin version is affected.

💻 Affected Systems

Products:

Simple JWT Login WordPress Plugin

Versions: All versions before 3.3.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin to be installed and active. The vulnerability exists in the user registration functionality.

📦 What is this software?

Simple Jwt Login by Simple Jwt Login Project

View all CVEs affecting Simple Jwt Login →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers create administrative accounts with predictable passwords, gaining full control over the WordPress site to install malware, deface content, or steal sensitive data.

🟠

Likely Case

Attackers create lower-privileged user accounts with predictable passwords, gaining unauthorized access to post content, modify settings, or escalate privileges.

🟢

If Mitigated

With strong network controls and monitoring, unauthorized account creation attempts are detected and blocked before successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to the user registration endpoint. The vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.0

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2613782

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Simple JWT Login plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.3.0+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable User Registration

all

Temporarily disable user registration functionality in the plugin settings

Disable Plugin

all

Deactivate the Simple JWT Login plugin until patched

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block requests to user registration endpoints
Enable detailed logging for user creation events and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Simple JWT Login > Version. If version is below 3.3.0, the site is vulnerable.

Check Version:

wp plugin list --name='simple-jwt-login' --field=version

Verify Fix Applied:

After updating, verify plugin version shows 3.3.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Multiple user creation requests from single IP
User accounts created with similar timestamps
Failed login attempts followed by successful logins to newly created accounts

Network Indicators:

HTTP POST requests to /wp-json/jwt-auth/v1/users/register endpoint
Unusual traffic patterns to user registration endpoints

SIEM Query:

source="wordpress" AND (uri_path="/wp-json/jwt-auth/v1/users/register" OR event="user_created")

📊 Metadata

CVE ID: CVE-2021-24998

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-330

Published: December 27, 2021

Last Updated: November 21, 2024

🔗 References

https://plugins.trac.wordpress.org/changeset/2613782 Patch,Third Party Advisory
https://wpscan.com/vulnerability/1cca404e-766a-43ab-b41f-77d6a3b282fb Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2613782 Patch,Third Party Advisory
https://wpscan.com/vulnerability/1cca404e-766a-43ab-b41f-77d6a3b282fb Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24998, you might also want to check these: