Vulnerabilities and security researches forsimple-jwt-login simple-jwt-login
Direction: ascendingSimple JWT Login – Login and Register to WordPress using JWT # CVE-2021-24804
- CVE, Research URL
- Home page URL
-
Security reports for Simple JWT Login – Login and Register to WordPress using JWT
- Date
- Nov 17, 2021
- Research Description
- The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover.
- Affected versions
-
max 3.2.1.
- Status
-
vulnerable
Simple JWT Login – Login and Register to WordPress using JWT # CVE-2021-24998
- CVE, Research URL
- Home page URL
-
Security reports for Simple JWT Login – Login and Register to WordPress using JWT
- Date
- Dec 27, 2021
- Research Description
- The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.
- Affected versions
-
max 3.3.0.
- Status
-
vulnerable
Simple JWT Login – Login and Register to WordPress using JWT # CVE-2025-58648
- CVE, Research URL
- Home page URL
-
Security reports for Simple JWT Login – Login and Register to WordPress using JWT
- Date
- Sep 23, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nicu Micle Simple JWT Login simple-jwt-login allows Stored XSS.This issue affects Simple JWT Login: from n/a through <= 3.6.4.
- Affected versions
-
max 3.6.5.
- Status
-
vulnerable
Simple JWT Login – Login and Register to WordPress using JWT # CVE-2026-14262
- CVE, Research URL
- Home page URL
-
Security reports for Simple JWT Login – Login and Register to WordPress using JWT
- Date
- Jul 11, 2026
- Research Description
- The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the `payload` parameter. The vulnerability exists because `AuthenticateService::generatePayload()` only overwrites JWT payload keys whose names appear in the admin-configured `jwt_payload` list — leaving any attacker-supplied identity claims such as `email`, `id`, or `username` intact and signed into the JWT with the site's HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator's email address into the `payload` parameter at the `/wp-json/simple-jwt-login/v1/auth` endpoint, then redeeming the resulting JWT at the `/autologin` endpoint to obtain a fully authenticated session as that administrator.
- Affected versions
-
max 3.6.7.
- Status
-
vulnerable