Description
The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the 'login_register_login_post' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Published: 2026-03-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site XSS via CSRF
Action: Patch
AI Analysis

Impact

The login_register plugin for WordPress contains missing nonce validation on its settings page together with insufficient sanitization and escaping of the login_register_login_post input. This flaw enables a Cross‑Site Request Forgery that can store arbitrary JavaScript in the site’s configuration. An attacker can craft a request that, when an administrator clicks a malicious link, writes malicious code into the plugin’s settings. The code is then served to any visitor who accesses the affected page, allowing defacement, cookie theft, or other client‑side compromise.

Affected Systems

WordPress installations that have the frankkoenen login_register plugin with a version of 1.2.0 or earlier running are affected. The vulnerability is triggered when the insecure settings page is accessed, so sites that have enabled the plugin’s settings editing must be considered vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. Exploitation requires no prior authentication and only a simple social‑engineering step – persuading an administrator to click a forged link. Because the vulnerability is not listed in the KEV catalog and EPSS data are unavailable, the probability of exploitation is uncertain, but the potential impact on all visitors to the compromised page remains significant for systems lacking robust admin awareness training.

Generated by OpenCVE AI on March 21, 2026 at 07:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the login_register plugin to a version newer than 1.2.0, which includes proper nonce validation and input sanitization.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin to remove the attack surface.
  • After updating or reinstalling, verify that no malicious scripts remain in the plugin’s settings and that all stored inputs are correctly escaped.

Generated by OpenCVE AI on March 21, 2026 at 07:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Frankkoenen
Frankkoenen plugin Name: Login Register
Wordpress
Wordpress wordpress
Vendors & Products Frankkoenen
Frankkoenen plugin Name: Login Register
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the 'login_register_login_post' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Title login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Frankkoenen Plugin Name: Login Register
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:59.673Z

Reserved: 2026-01-27T19:28:28.952Z

Link: CVE-2026-1503

cve-icon Vulnrichment

Updated: 2026-03-23T15:07:37.731Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:16:53.750

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-1503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:57Z

Weaknesses