Description
The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This is due to a completely broken nonce validation in the enter_mpclp_login_options() function, which contains an inverted check (if wp_verify_nonce(...) { return false; }) and is missing the required action parameter for wp_verify_nonce(). As a result, the nonce check is effectively dead code: it never blocks malicious requests because a CSRF-supplied empty/invalid nonce always returns false, satisfying the inverted condition to continue execution. Furthermore, the settings-update handler is hooked on init without any capability check. This makes it possible for unauthenticated attackers to modify all plugin setting, including login page background, logo URL, image dimensions, button colors, and login message, by tricking a logged-in administrator into submitting a crafted request.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MP Customize Login Page plugin for WordPress contains a broken Cross‑Site Request Forgery protection in the settings‑update handler. The nonce validation is inverted and the required action parameter is missing, turning the check into dead code that always allows the request to proceed. Additionally, the handler is hooked without any capability verification, letting any user craft a request that will be processed as if they had the privileges of the logged‑in administrator. An attacker can therefore change the appearance of the login page and its messages, potentially defacing the site or altering authentication cues.

Affected Systems

This weakness affects the MP Customize Login Page plugin version 1.0 and earlier, installed on WordPress installations that do not upgrade beyond that release.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk with limited impact compared to data exfiltration or code execution. EPSS is not available so exploitation frequency is unclear, and the vulnerability is not listed in CISA KEV. The likely attack vector is CSRF: an unauthenticated attacker convinces a logged‑in administrator to visit a crafted URL or submit a form, causing the administrator’s session to trigger a settings update. Because the attack requires only a convenient user interaction, an external threat actor could easily perform it once the plugin is installed on a site. The absence of a capability check means the attacker cannot gain any additional privileges beyond the changes to the login page.

Generated by OpenCVE AI on June 24, 2026 at 09:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MP Customize Login Page to the latest version that includes proper nonce validation and capability checks.
  • If an upgrade is not possible, deactivate or remove the plugin to eliminate the vulnerability.
  • As a temporary workaround, modify the settings‑update handler to perform a correct wp_verify_nonce() with the appropriate action and add a check that the current user has the administrator capability before proceeding with the update.

Generated by OpenCVE AI on June 24, 2026 at 09:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This is due to a completely broken nonce validation in the enter_mpclp_login_options() function, which contains an inverted check (if wp_verify_nonce(...) { return false; }) and is missing the required action parameter for wp_verify_nonce(). As a result, the nonce check is effectively dead code: it never blocks malicious requests because a CSRF-supplied empty/invalid nonce always returns false, satisfying the inverted condition to continue execution. Furthermore, the settings-update handler is hooked on init without any capability check. This makes it possible for unauthenticated attackers to modify all plugin setting, including login page background, logo URL, image dimensions, button colors, and login message, by tricking a logged-in administrator into submitting a crafted request.
Title MP Customize Login Page <= 1.0 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T12:37:35.046Z

Reserved: 2026-04-14T17:59:20.836Z

Link: CVE-2026-6292

cve-icon Vulnrichment

Updated: 2026-06-24T12:37:30.872Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)