Skip to main content

MP Customize Login Page CVE-2026-6292

| EUVDEUVD-2026-38676 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-24 Wordfence GHSA-4j34-5678-4gmg
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-delivered CSRF with no attacker privileges; UI:R reflects mandatory admin interaction; I:L bounded to cosmetic settings; no confidentiality or availability impact possible.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 07:03 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 4.3

DescriptionCVE.org

The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This is due to a completely broken nonce validation in the enter_mpclp_login_options() function, which contains an inverted check (if wp_verify_nonce(...) { return false; }) and is missing the required action parameter for wp_verify_nonce(). As a result, the nonce check is effectively dead code: it never blocks malicious requests because a CSRF-supplied empty/invalid nonce always returns false, satisfying the inverted condition to continue execution. Furthermore, the settings-update handler is hooked on init without any capability check. This makes it possible for unauthenticated attackers to modify all plugin setting, including login page background, logo URL, image dimensions, button colors, and login message, by tricking a logged-in administrator into submitting a crafted request.

AnalysisAI

Cross-Site Request Forgery in the MP Customize Login Page WordPress plugin (all versions ≤ 1.0) enables unauthenticated remote attackers to overwrite login page settings - background, logo URL, image dimensions, button colors, and login message - by tricking a logged-in administrator into submitting a crafted request. The root cause is a doubly defective nonce implementation in enter_mpclp_login_options(): the check is logically inverted (blocking valid nonces while passing invalid ones) and the required action parameter is omitted from wp_verify_nonce(), rendering the entire check dead code. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft auto-submitting CSRF form
Delivery
Host form on attacker-controlled page
Exploit
Phish logged-in WordPress admin
Install
Admin browser submits forged POST request
C2
Inverted nonce check passes invalid token
Execute
Capability check absent on init hook
Impact
Login page settings overwritten

Vulnerability AssessmentAI

Exploitation The MP Customize Login Page plugin must be installed and active on the target WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N accurately reflects the constrained real-world impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a hidden auto-submitting HTML form on an external page, targeting the WordPress site's login settings handler with forged field values (e.g., a malicious logo URL or altered login message). The attacker sends a phishing link to a WordPress administrator who is currently logged in; when the admin loads the page, their browser silently submits the crafted POST request, which the plugin processes without resistance because the inverted nonce check treats the absent CSRF token as valid and no capability check is present. …
Remediation No vendor-released patched version has been confirmed in the available data; the CPE version wildcard and absence of a fix version in references suggest the plugin remains unpatched. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6292 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy