CVE-2026-1088
Unknown Unknown - Not Provided
CSRF Vulnerability in WordPress Login Page Editor Plugin

Publication date: 2026-01-24

Last updated on: 2026-01-24

Assigner: Wordfence

Description
The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login page settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-24
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1088
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devotion login_page_editor to 1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the WordPress Login Page Editor plugin up to version 1.2. It occurs because the AJAX action devotion_loginform_process() lacks nonce validation, allowing unauthenticated attackers to trick a site administrator into performing actions like updating the plugin's login page settings via a forged request. [2, 3]

Impact Analysis

An attacker can exploit this vulnerability to modify the login page settings of the plugin without proper authorization by tricking an administrator into clicking a malicious link. This could lead to unauthorized changes in the login page appearance or behavior, potentially facilitating further attacks or misleading users. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or forged AJAX POST requests to the `devotion_loginform_process` action in the WordPress Login Page Editor plugin. Specifically, look for POST requests containing the `formdata` parameter targeting the AJAX endpoint (usually `wp-admin/admin-ajax.php`) with the action `devotion_loginform_process`. Commands to detect such activity could include using web server logs or network monitoring tools to filter for these requests. For example, using grep on Apache logs: `grep "action=devotion_loginform_process" /var/log/apache2/access.log` or using a network capture tool like tcpdump or Wireshark to filter HTTP POST requests to `admin-ajax.php` containing `formdata`. Additionally, checking for absence of nonce validation in these requests may indicate exploitation attempts. [2, 3]

Mitigation Strategies

Immediate mitigation steps include updating the Login Page Editor plugin to a version that patches this vulnerability (versions above 1.2 if available). If an update is not available, restrict access to the AJAX action `devotion_loginform_process` by implementing nonce validation and user capability checks to prevent unauthorized requests. Additionally, monitor and block suspicious POST requests targeting this AJAX action. As a temporary measure, consider disabling or removing the plugin until a fix is applied to prevent exploitation via CSRF attacks. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1088. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart