プラットフォーム
wordpress
コンポーネント
login-register
修正版
1.2.1
CVE-2026-1503 is a Cross-Site Scripting (XSS) vulnerability discovered in the WordPress Login Register plugin. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially compromising administrator accounts. The vulnerability affects versions 0.0.0 through 1.2.0 of the plugin, and a patch is expected to be released by the plugin developer.
The vulnerability lies in the lack of proper nonce validation and insufficient input sanitization/output escaping on the 'loginregisterlogin_post' parameter within the plugin's settings page. An attacker can leverage this to craft a Cross-Site Request Forgery (CSRF) attack, tricking an administrator into unknowingly executing malicious JavaScript. Successful exploitation could lead to session hijacking, defacement of the website, or redirection to phishing sites. The impact is particularly severe as it targets administrator accounts, granting attackers significant control over the WordPress site.
This vulnerability was publicly disclosed on 2026-03-21. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and the ease of CSRF exploitation suggest a medium probability of exploitation (EPSS score likely medium). Monitor WordPress security forums and vulnerability databases for updates.
WordPress websites utilizing the Login Register plugin, particularly those with administrator accounts that frequently interact with the plugin's settings. Shared hosting environments where multiple WordPress installations share the same server resources are also at increased risk, as a compromised plugin instance could potentially affect other sites on the same server.
• wordpress / composer / npm:
grep -r "login_register_login_post" /var/www/html/wp-content/plugins/login-register/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-post.php?action=login_register_settings_update | grep -i "login_register_login_post"disclosure
エクスプロイト状況
EPSS
0.01% (2% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade the WordPress Login Register plugin to a version with the vulnerability patched. Until a patch is available, administrators should exercise extreme caution when clicking links or performing actions within the plugin's settings page. Consider implementing a Web Application Firewall (WAF) with CSRF protection rules to block suspicious requests. Regularly review WordPress user accounts and permissions to identify any unauthorized access.
既知の修正パッチはありません。脆弱性の詳細を詳細に検討し、組織のリスク許容度に基づいて軽減策を講じてください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-1503 is a vulnerability in the WordPress Login Register plugin allowing attackers to inject malicious scripts via a forged request, impacting administrator accounts. It's rated as Medium severity.
You are affected if you are using the WordPress Login Register plugin in versions 0.0.0 through 1.2.0. Upgrade to a patched version as soon as it becomes available.
The recommended fix is to upgrade the WordPress Login Register plugin to a version with the vulnerability patched. Until then, exercise caution and consider WAF rules.
While no public exploits are currently known, the vulnerability's nature and ease of CSRF exploitation suggest a potential for active exploitation. Monitor security advisories.
Check the WordPress.org plugin repository and the Login Register plugin developer's website for official advisories and updates related to CVE-2026-1503.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。