CVE-2026-1503
Received Received - Intake
CSRF to Stored XSS in WordPress login_register Plugin

Publication date: 2026-03-21

Last updated on: 2026-03-21

Assigner: Wordfence

Description
The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the 'login_register_login_post' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-21
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1503
EUVD
EUVD-2026-14181
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence login_register to 1.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The login_register plugin for WordPress is vulnerable to a Cross-Site Request Forgery (CSRF) attack that leads to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.2.0.

This vulnerability exists because the plugin's settings page lacks nonce validation, which is a security token used to verify that requests are intentional and legitimate.

Additionally, the plugin does not properly sanitize or escape the 'login_register_login_post' parameter, allowing attackers to inject arbitrary web scripts.

An unauthenticated attacker can exploit this by tricking an administrator into performing an action, such as clicking a malicious link, which causes the injected script to be stored and executed whenever the affected page is accessed.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary scripts in the context of the affected website when an administrator interacts with a crafted request.

Such script execution can lead to unauthorized actions being performed with administrator privileges, potentially compromising the website's security and integrity.

Because the attacker can inject scripts that run in the administrator's browser, this may lead to theft of sensitive information, session hijacking, or further exploitation of the site.

The vulnerability requires user interaction (an administrator clicking a link), but no authentication is needed for the attacker to initiate the attack.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate the vulnerability in the login_register WordPress plugin (versions up to and including 1.2.0), immediate steps include ensuring that the plugin is updated to a version that includes nonce validation and proper input sanitization and output escaping.'}, {'type': 'paragraph', 'content': 'Additionally, enabling CAPTCHA protection on the plugin\'s control forms can help reduce automated attacks, as the plugin\'s admin interface suggests integration with the "Really Simple CAPTCHA" plugin.'}, {'type': 'paragraph', 'content': 'Administrators should also be cautious about clicking on suspicious links or performing actions triggered by untrusted sources, as the vulnerability allows unauthenticated attackers to inject scripts that execute when an admin accesses a crafted page.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1503. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart