CVE-2026-10100
Stored XSS in Simple Custom Login Page WordPress Plugin
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp-simple-custom-login | plugin | to 1.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Simple Custom Login Page plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its color settings fields, including Page Background, Form Background, Text Color, and Link Color, in versions up to and including 1.0.3.
This vulnerability arises because the plugin does not properly sanitize input for these color options. The values are registered and stored without a sanitize callback and are output into a <style> block on the login page using an escaping function (esc_attr()) that is not appropriate for CSS contexts.
As a result, authenticated users with administrator-level access or higher can inject arbitrary CSS rules into the login page. These malicious CSS rules are then rendered for all unauthenticated visitors.
This can enable attacks such as UI redress and credential phishing by manipulating the appearance and behavior of the login page.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with administrator-level access to inject arbitrary CSS into the WordPress login page.
This CSS injection can affect all unauthenticated visitors to the login page, potentially leading to UI redress attacks where the interface is manipulated to deceive users.
Such manipulation can be used for credential phishing, tricking users into revealing their login information.
Overall, this can compromise the security and trustworthiness of the login process, potentially leading to unauthorized access and data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Simple Custom Login Page plugin for WordPress is installed and running a version up to and including 1.0.3.
Since the vulnerability is related to stored Cross-Site Scripting via color settings fields, one way to detect it is to inspect the color option values stored in the WordPress database, particularly in the options table where plugin settings are saved.
You can use WP-CLI commands or direct database queries to check the plugin version and the stored color settings.
- Check the plugin version via WP-CLI: wp plugin get simple-custom-login --field=version
- Query the WordPress database for color settings related to the plugin, for example: SELECT option_name, option_value FROM wp_options WHERE option_name LIKE '%simple_custom_login_color%';
Additionally, reviewing the wp-login.php page source for injected CSS rules or unusual style blocks may help identify exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Simple Custom Login Page plugin to a version later than 1.0.3 where the vulnerability is fixed.
If an update is not immediately available, restrict administrator-level access to trusted users only, as exploitation requires authenticated users with administrator privileges.
Review and sanitize the color settings fields manually in the database to remove any malicious CSS injections.
Consider disabling or removing the plugin temporarily until a secure version is installed.
Monitor login pages for unusual UI behavior that could indicate UI redress or credential phishing attempts.