cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forsimple-jwt-login simple-jwt-login

Direction: ascending
Jun 07, 2024

Simple JWT Login – Login and Register to WordPress using JWT # CVE-2021-24804

CVE, Research URL

CVE-2021-24804

Date
Nov 17, 2021
Research Description
The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover.
Affected versions
max 3.2.1.
Status
vulnerable

Simple JWT Login – Login and Register to WordPress using JWT # CVE-2021-24998

CVE, Research URL

CVE-2021-24998

Date
Dec 27, 2021
Research Description
The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.
Affected versions
max 3.3.0.
Status
vulnerable
Oct 12, 2025

Simple JWT Login – Login and Register to WordPress using JWT # CVE-2025-58648

CVE, Research URL

CVE-2025-58648

Date
Sep 23, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nicu Micle Simple JWT Login simple-jwt-login allows Stored XSS.This issue affects Simple JWT Login: from n/a through <= 3.6.4.
Affected versions
max 3.6.5.
Status
vulnerable
Jul 11, 2026

Simple JWT Login &#8211; Login and Register to WordPress using JWT # CVE-2026-14262

CVE, Research URL

CVE-2026-14262

Date
Jul 11, 2026
Research Description
The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the `payload` parameter. The vulnerability exists because `AuthenticateService::generatePayload()` only overwrites JWT payload keys whose names appear in the admin-configured `jwt_payload` list — leaving any attacker-supplied identity claims such as `email`, `id`, or `username` intact and signed into the JWT with the site's HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator's email address into the `payload` parameter at the `/wp-json/simple-jwt-login/v1/auth` endpoint, then redeeming the resulting JWT at the `/autologin` endpoint to obtain a fully authenticated session as that administrator.
Affected versions
max 3.6.7.
Status
vulnerable