Platform
wordpress
Component
login-register
Opgelost in
1.2.1
CVE-2026-1503 is a Cross-Site Scripting (XSS) vulnerability discovered in the WordPress Login Register plugin. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially compromising administrator accounts. The vulnerability affects versions 0.0.0 through 1.2.0 of the plugin, and a patch is expected to be released by the plugin developer.
The vulnerability lies in the lack of proper nonce validation and insufficient input sanitization/output escaping on the 'loginregisterlogin_post' parameter within the plugin's settings page. An attacker can leverage this to craft a Cross-Site Request Forgery (CSRF) attack, tricking an administrator into unknowingly executing malicious JavaScript. Successful exploitation could lead to session hijacking, defacement of the website, or redirection to phishing sites. The impact is particularly severe as it targets administrator accounts, granting attackers significant control over the WordPress site.
This vulnerability was publicly disclosed on 2026-03-21. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and the ease of CSRF exploitation suggest a medium probability of exploitation (EPSS score likely medium). Monitor WordPress security forums and vulnerability databases for updates.
WordPress websites utilizing the Login Register plugin, particularly those with administrator accounts that frequently interact with the plugin's settings. Shared hosting environments where multiple WordPress installations share the same server resources are also at increased risk, as a compromised plugin instance could potentially affect other sites on the same server.
• wordpress / composer / npm:
grep -r "login_register_login_post" /var/www/html/wp-content/plugins/login-register/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-post.php?action=login_register_settings_update | grep -i "login_register_login_post"disclosure
Exploit Status
EPSS
0.01% (2% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade the WordPress Login Register plugin to a version with the vulnerability patched. Until a patch is available, administrators should exercise extreme caution when clicking links or performing actions within the plugin's settings page. Consider implementing a Web Application Firewall (WAF) with CSRF protection rules to block suspicious requests. Regularly review WordPress user accounts and permissions to identify any unauthorized access.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-1503 is a vulnerability in the WordPress Login Register plugin allowing attackers to inject malicious scripts via a forged request, impacting administrator accounts. It's rated as Medium severity.
You are affected if you are using the WordPress Login Register plugin in versions 0.0.0 through 1.2.0. Upgrade to a patched version as soon as it becomes available.
The recommended fix is to upgrade the WordPress Login Register plugin to a version with the vulnerability patched. Until then, exercise caution and consider WAF rules.
While no public exploits are currently known, the vulnerability's nature and ease of CSRF exploitation suggest a potential for active exploitation. Monitor security advisories.
Check the WordPress.org plugin repository and the Login Register plugin developer's website for official advisories and updates related to CVE-2026-1503.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.