Platform
wordpress
Component
login-register
Fixed in
1.2.1
CVE-2026-1503 is a Cross-Site Scripting (XSS) vulnerability discovered in the WordPress Login Register plugin. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially compromising administrator accounts. The vulnerability affects versions 0.0.0 through 1.2.0 of the plugin, and a patch is expected to be released by the plugin developer.
The vulnerability lies in the lack of proper nonce validation and insufficient input sanitization/output escaping on the 'loginregisterlogin_post' parameter within the plugin's settings page. An attacker can leverage this to craft a Cross-Site Request Forgery (CSRF) attack, tricking an administrator into unknowingly executing malicious JavaScript. Successful exploitation could lead to session hijacking, defacement of the website, or redirection to phishing sites. The impact is particularly severe as it targets administrator accounts, granting attackers significant control over the WordPress site.
This vulnerability was publicly disclosed on 2026-03-21. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and the ease of CSRF exploitation suggest a medium probability of exploitation (EPSS score likely medium). Monitor WordPress security forums and vulnerability databases for updates.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the WordPress Login Register plugin to a version with the vulnerability patched. Until a patch is available, administrators should exercise extreme caution when clicking links or performing actions within the plugin's settings page. Consider implementing a Web Application Firewall (WAF) with CSRF protection rules to block suspicious requests. Regularly review WordPress user accounts and permissions to identify any unauthorized access.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1503 is a vulnerability in the WordPress Login Register plugin allowing attackers to inject malicious scripts via a forged request, impacting administrator accounts. It's rated as Medium severity.
You are affected if you are using the WordPress Login Register plugin in versions 0.0.0 through 1.2.0. Upgrade to a patched version as soon as it becomes available.
The recommended fix is to upgrade the WordPress Login Register plugin to a version with the vulnerability patched. Until then, exercise caution and consider WAF rules.
While no public exploits are currently known, the vulnerability's nature and ease of CSRF exploitation suggest a potential for active exploitation. Monitor security advisories.
Check the WordPress.org plugin repository and the Login Register plugin developer's website for official advisories and updates related to CVE-2026-1503.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.