CVE-2021-24804: 
WordPress vulnerability analysis and mitigation

The Simple JWT Login WordPress plugin versions before 3.2.1 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2021-24804. The vulnerability was publicly disclosed on October 18, 2021, and was discovered by security researcher apple502j. This security flaw affects the plugin's settings management functionality, where the absence of proper nonce checks could allow unauthorized modifications to critical plugin settings (WPScan).

The vulnerability stems from the absence of nonce checks in the plugin's settings saving functionality. This security oversight has been classified as CWE-352 (Cross-Site Request Forgery). The vulnerability received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating its significant severity (NVD).

The vulnerability allows attackers to modify critical plugin settings including HMAC verification secret, account registration parameters, and default user roles. Through successful exploitation, attackers could potentially achieve complete site takeover by manipulating these security-critical configurations (WPScan).

The vulnerability has been patched in version 3.2.1 of the Simple JWT Login plugin. Users are strongly advised to update to this version or later to protect against potential exploitation (WPScan).