Plattform
wordpress
Komponente
login-register
Behoben in
1.2.1
CVE-2026-1503 is a Cross-Site Scripting (XSS) vulnerability discovered in the WordPress Login Register plugin. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially compromising administrator accounts. The vulnerability affects versions 0.0.0 through 1.2.0 of the plugin, and a patch is expected to be released by the plugin developer.
The vulnerability lies in the lack of proper nonce validation and insufficient input sanitization/output escaping on the 'loginregisterlogin_post' parameter within the plugin's settings page. An attacker can leverage this to craft a Cross-Site Request Forgery (CSRF) attack, tricking an administrator into unknowingly executing malicious JavaScript. Successful exploitation could lead to session hijacking, defacement of the website, or redirection to phishing sites. The impact is particularly severe as it targets administrator accounts, granting attackers significant control over the WordPress site.
This vulnerability was publicly disclosed on 2026-03-21. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and the ease of CSRF exploitation suggest a medium probability of exploitation (EPSS score likely medium). Monitor WordPress security forums and vulnerability databases for updates.
WordPress websites utilizing the Login Register plugin, particularly those with administrator accounts that frequently interact with the plugin's settings. Shared hosting environments where multiple WordPress installations share the same server resources are also at increased risk, as a compromised plugin instance could potentially affect other sites on the same server.
• wordpress / composer / npm:
grep -r "login_register_login_post" /var/www/html/wp-content/plugins/login-register/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-post.php?action=login_register_settings_update | grep -i "login_register_login_post"disclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade the WordPress Login Register plugin to a version with the vulnerability patched. Until a patch is available, administrators should exercise extreme caution when clicking links or performing actions within the plugin's settings page. Consider implementing a Web Application Firewall (WAF) with CSRF protection rules to block suspicious requests. Regularly review WordPress user accounts and permissions to identify any unauthorized access.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle im Detail und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-1503 is a vulnerability in the WordPress Login Register plugin allowing attackers to inject malicious scripts via a forged request, impacting administrator accounts. It's rated as Medium severity.
You are affected if you are using the WordPress Login Register plugin in versions 0.0.0 through 1.2.0. Upgrade to a patched version as soon as it becomes available.
The recommended fix is to upgrade the WordPress Login Register plugin to a version with the vulnerability patched. Until then, exercise caution and consider WAF rules.
While no public exploits are currently known, the vulnerability's nature and ease of CSRF exploitation suggest a potential for active exploitation. Monitor security advisories.
Check the WordPress.org plugin repository and the Login Register plugin developer's website for official advisories and updates related to CVE-2026-1503.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.