CVE-2026-1503
CSRF to Stored XSS in WordPress login_register Plugin
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | login_register | to 1.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The login_register plugin for WordPress is vulnerable to a Cross-Site Request Forgery (CSRF) attack that leads to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.2.0.
This vulnerability exists because the plugin's settings page lacks nonce validation, which is a security token used to verify that requests are intentional and legitimate.
Additionally, the plugin does not properly sanitize or escape the 'login_register_login_post' parameter, allowing attackers to inject arbitrary web scripts.
An unauthenticated attacker can exploit this by tricking an administrator into performing an action, such as clicking a malicious link, which causes the injected script to be stored and executed whenever the affected page is accessed.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary scripts in the context of the affected website when an administrator interacts with a crafted request.
Such script execution can lead to unauthorized actions being performed with administrator privileges, potentially compromising the website's security and integrity.
Because the attacker can inject scripts that run in the administrator's browser, this may lead to theft of sensitive information, session hijacking, or further exploitation of the site.
The vulnerability requires user interaction (an administrator clicking a link), but no authentication is needed for the attacker to initiate the attack.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate the vulnerability in the login_register WordPress plugin (versions up to and including 1.2.0), immediate steps include ensuring that the plugin is updated to a version that includes nonce validation and proper input sanitization and output escaping.'}, {'type': 'paragraph', 'content': 'Additionally, enabling CAPTCHA protection on the plugin\'s control forms can help reduce automated attacks, as the plugin\'s admin interface suggests integration with the "Really Simple CAPTCHA" plugin.'}, {'type': 'paragraph', 'content': 'Administrators should also be cautious about clicking on suspicious links or performing actions triggered by untrusted sources, as the vulnerability allows unauthenticated attackers to inject scripts that execute when an admin accesses a crafted page.'}] [2]