Description
The WP Custom Admin Login Page Logo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.8.4. This is due to missing or incorrect nonce validation on the wpclpl_save functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-11-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery causing unauthorized change of plugin settings
Action: Apply Patch
AI Analysis

Impact

The WP Custom Admin Login Page Logo plugin for WordPress allows unauthenticated attackers to modify the plugin’s settings because the wpclpl_save function lacks proper nonce validation. This flaw permits a forged request to alter configuration values such as logo image, login URL redirection, and other cosmetic settings. The impact is the ability to inject arbitrary settings that affect site appearance and potentially redirect users, but it does not provide direct code execution or access to admin credentials.

Affected Systems

All installations of the WP Custom Admin Login Page Logo plugin running version 1.4.8.4 or earlier are affected. The plugin is distributed through the official WordPress plugin repository and is maintained by larsactionhero. Site administrators who have upgraded the plugin to a version newer than 1.4.8.4 are not impacted.

Risk and Exploitability

The vulnerability scores a CVSS 4.3, describing a moderate risk that requires user interaction but provides no direct privilege escalation. The EPSS score of less than 1% indicates a low probability that the flaw is actively exploited in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation typically involves tricking a logged‑in administrator into clicking a malicious link or submitting a forged form, after which the attacker can silently change plugin settings. Because the flaw requires an authenticated administrator to complete the request, the attacker’s success depends on the administrator’s interaction with a malicious payload.

Generated by OpenCVE AI on April 22, 2026 at 11:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Custom Admin Login Page Logo to a version newer than 1.4.8.4 or apply the vendor‑supplied patch if available
  • If immediate upgrade is not possible, backup the current site and consider disabling the plugin until a fix is applied
  • Install a reputable security plugin that enforces nonce checks or restricts POST requests on admin pages to mitigate future CSRF attacks
  • Monitor the admin interface for unexpected configuration changes and alert on suspicious activity

Generated by OpenCVE AI on April 22, 2026 at 11:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The WP Custom Admin Login Page Logo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.8.4. This is due to missing or incorrect nonce validation on the wpclpl_save functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title WP Custom Admin Login Page Logo <= 1.4.8.4 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:49.218Z

Reserved: 2025-10-23T19:09:01.014Z

Link: CVE-2025-12132

cve-icon Vulnrichment

Updated: 2025-11-12T15:42:21.755Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:46.523

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12132

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses