Description
The Simple Custom Login Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color settings fields (Page Background, Form Background, Text Color, Link Color) in versions up to and including 1.0.3. This is due to insufficient input sanitization of the color option values (they were registered with register_setting() and stored via the Settings API/update_option() with no sanitize_callback) combined with the values being output into a <style> block on wp-login.php using esc_attr(), which is incorrect for a CSS context (it does not escape ;, {, }, / or *). This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary CSS rules into the login page that are rendered for all unauthenticated visitors, enabling UI-redress and credential-phishing attacks.
Published: 2026-06-02
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple Custom Login Page plugin fails to properly sanitize color option values in its settings page, allowing an authenticated user with administrator privileges to inject custom CSS into a <style> tag on wp‑login.php. The injected styles are rendered for all visitors to the login page, enabling attackers to perform UI‑redress and credential‑phishing attacks. The flaw is a classic Stored Cross‑Site Scripting vulnerability (CWE‑79).

Affected Systems

WordPress sites running the Simple Custom Login Page plugin version 1.0.3 or earlier. The vulnerability impacts only sites that have the plugin installed and where an attacker can log in as an administrator or higher. Non‑WordPress sites or newer plugin releases are not affected.

Risk and Exploitability

The CVSS score of 4.4 indicates a medium severity. Since the exploit requires administrative access and there are no publicly available exploit tools, the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated remote path whereby an attacker with admin privileges injects malicious CSS via the plugin settings. Once injected, the malicious CSS affects all unauthenticated users who view the login page, potentially leading to credential theft. The moderate CVSS score suggests a moderate risk if an attacker gains admin access, but the lack of public exploitation reduces immediate threats.

Generated by OpenCVE AI on June 2, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple Custom Login Page plugin to the latest released version.
  • Immediately reset all color settings to safe default values or re‑apply sanitization by using WordPress's sanitization functions (e.g., sanitize_hex_color) before saving the options.
  • If an upgrade is delayed, consider deactivating or removing the plugin until a patch is applied to prevent the exploitation vector from remaining active.

Generated by OpenCVE AI on June 2, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Simple Custom Login Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color settings fields (Page Background, Form Background, Text Color, Link Color) in versions up to and including 1.0.3. This is due to insufficient input sanitization of the color option values (they were registered with register_setting() and stored via the Settings API/update_option() with no sanitize_callback) combined with the values being output into a <style> block on wp-login.php using esc_attr(), which is incorrect for a CSS context (it does not escape ;, {, }, / or *). This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary CSS rules into the login page that are rendered for all unauthenticated visitors, enabling UI-redress and credential-phishing attacks.
Title Simple Custom Login Page <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-02T10:48:01.147Z

Reserved: 2026-05-29T15:07:45.775Z

Link: CVE-2026-10100

cve-icon Vulnrichment

Updated: 2026-06-02T10:47:56.515Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T03:16:15.077

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-10100

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T04:00:13Z

Weaknesses