EUVD-2026-14181
GHSA-p352-rg87-vcp2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Description
The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the 'login_register_login_post' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Analysis
The login_register plugin for WordPress versions up to 1.2.0 contains a combined Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerability due to missing nonce validation and insufficient input sanitization on the settings page. Unauthenticated attackers can craft malicious links to trick administrators into injecting arbitrary JavaScript that persists and executes for all users accessing affected pages. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to Cross-Site Request Forgery to and apply vendor patches as part of regular patch cycle. Verify anti-CSRF tokens are enforced.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today