CVE-2026-1088
CSRF Vulnerability in WordPress Login Page Editor Plugin
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devotion | login_page_editor | to 1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the WordPress Login Page Editor plugin up to version 1.2. It occurs because the AJAX action devotion_loginform_process() lacks nonce validation, allowing unauthenticated attackers to trick a site administrator into performing actions like updating the plugin's login page settings via a forged request. [2, 3]
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to modify the login page settings of the plugin without proper authorization by tricking an administrator into clicking a malicious link. This could lead to unauthorized changes in the login page appearance or behavior, potentially facilitating further attacks or misleading users. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or forged AJAX POST requests to the `devotion_loginform_process` action in the WordPress Login Page Editor plugin. Specifically, look for POST requests containing the `formdata` parameter targeting the AJAX endpoint (usually `wp-admin/admin-ajax.php`) with the action `devotion_loginform_process`. Commands to detect such activity could include using web server logs or network monitoring tools to filter for these requests. For example, using grep on Apache logs: `grep "action=devotion_loginform_process" /var/log/apache2/access.log` or using a network capture tool like tcpdump or Wireshark to filter HTTP POST requests to `admin-ajax.php` containing `formdata`. Additionally, checking for absence of nonce validation in these requests may indicate exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Login Page Editor plugin to a version that patches this vulnerability (versions above 1.2 if available). If an update is not available, restrict access to the AJAX action `devotion_loginform_process` by implementing nonce validation and user capability checks to prevent unauthorized requests. Additionally, monitor and block suspicious POST requests targeting this AJAX action. As a temporary measure, consider disabling or removing the plugin until a fix is applied to prevent exploitation via CSRF attacks. [2, 3]