CVE-2026-6292 - Vulnerability Details

Vendors	Products
Manuelpadillac	Mp Customize Login Page
Wordpress	Wordpress

Link	Providers
https://plugins.trac.wordpress.org/browser/mp-customize-login-page/tags/1.0/class.mp-customize-login-page.php#L103
https://plugins.trac.wordpress.org/browser/mp-customize-login-page/tags/1.0/class.mp-customize-login-page.php#L13
https://plugins.trac.wordpress.org/browser/mp-customize-login-page/trunk/class.mp-customize-login-page.php#L103
https://plugins.trac.wordpress.org/browser/mp-customize-login-page/trunk/class.mp-customize-login-page.php#L13
https://www.wordfence.com/threat-intel/vulnerabilities/id/b9216875-8cb6-45a7-b23b-19d13f8b49dc?source=cve

Type	Values Removed	Values Added
First Time appeared		Manuelpadillac Manuelpadillac mp Customize Login Page Wordpress Wordpress wordpress
Vendors & Products		Manuelpadillac Manuelpadillac mp Customize Login Page Wordpress Wordpress wordpress

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
Description		The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This is due to a completely broken nonce validation in the enter_mpclp_login_options() function, which contains an inverted check (if wp_verify_nonce(...) { return false; }) and is missing the required action parameter for wp_verify_nonce(). As a result, the nonce check is effectively dead code: it never blocks malicious requests because a CSRF-supplied empty/invalid nonce always returns false, satisfying the inverted condition to continue execution. Furthermore, the settings-update handler is hooked on init without any capability check. This makes it possible for unauthenticated attackers to modify all plugin setting, including login page background, logo URL, image dimensions, button colors, and login message, by tricking a logged-in administrator into submitting a crafted request.
Title		MP Customize Login Page <= 1.0 - Cross-Site Request Forgery to Settings Update
Weaknesses		CWE-352
References		https://plugins.trac.wordpress.org/browser/mp-customize-login-page/tags/1.0/class.mp-customize-login-page.php#L103 https://plugins.trac.wordpress.org/browser/mp-customize-login-page/tags/1.0/class.mp-customize-login-page.php#L13 https://plugins.trac.wordpress.org/browser/mp-customize-login-page/trunk/class.mp-customize-login-page.php#L103 https://plugins.trac.wordpress.org/browser/mp-customize-login-page/trunk/class.mp-customize-login-page.php#L13 https://www.wordfence.com/threat-intel/vulnerabilities/id/b9216875-8cb6-45a7-b23b-19d13f8b49dc?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6292", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-14T17:59:20.836Z", "datePublished": "2026-06-24T05:33:28.779Z", "dateUpdated": "2026-06-24T12:37:35.046Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-06-24T05:33:28.779Z"}, "affected": [{"vendor": "manuelpadillac", "product": "MP Customize Login Page", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This is due to a completely broken nonce validation in the enter_mpclp_login_options() function, which contains an inverted check (if wp_verify_nonce(...) { return false; }) and is missing the required action parameter for wp_verify_nonce(). As a result, the nonce check is effectively dead code: it never blocks malicious requests because a CSRF-supplied empty/invalid nonce always returns false, satisfying the inverted condition to continue execution. Furthermore, the settings-update handler is hooked on init without any capability check. This makes it possible for unauthenticated attackers to modify all plugin setting, including login page background, logo URL, image dimensions, button colors, and login message, by tricking a logged-in administrator into submitting a crafted request."}], "title": "MP Customize Login Page <= 1.0 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b9216875-8cb6-45a7-b23b-19d13f8b49dc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mp-customize-login-page/trunk/class.mp-customize-login-page.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/mp-customize-login-page/tags/1.0/class.mp-customize-login-page.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/mp-customize-login-page/trunk/class.mp-customize-login-page.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/mp-customize-login-page/tags/1.0/class.mp-customize-login-page.php#L13"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-06-23T16:37:47.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-24T12:37:24.049528Z", "id": "CVE-2026-6292", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T12:37:35.046Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6292", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-24T12:37:24.049528Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T12:37:30.872Z"}}], "cna": {"title": "MP Customize Login Page <= 1.0 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "manuelpadillac", "product": "MP Customize Login Page", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-06-23T16:37:47.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b9216875-8cb6-45a7-b23b-19d13f8b49dc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mp-customize-login-page/trunk/class.mp-customize-login-page.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/mp-customize-login-page/tags/1.0/class.mp-customize-login-page.php#L103"}, {"url": "https://plugins.trac.wordpress.org/browser/mp-customize-login-page/trunk/class.mp-customize-login-page.php#L13"}, {"url": "https://plugins.trac.wordpress.org/browser/mp-customize-login-page/tags/1.0/class.mp-customize-login-page.php#L13"}], "descriptions": [{"lang": "en", "value": "The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This is due to a completely broken nonce validation in the enter_mpclp_login_options() function, which contains an inverted check (if wp_verify_nonce(...) { return false; }) and is missing the required action parameter for wp_verify_nonce(). As a result, the nonce check is effectively dead code: it never blocks malicious requests because a CSRF-supplied empty/invalid nonce always returns false, satisfying the inverted condition to continue execution. Furthermore, the settings-update handler is hooked on init without any capability check. This makes it possible for unauthenticated attackers to modify all plugin setting, including login page background, logo URL, image dimensions, button colors, and login message, by tricking a logged-in administrator into submitting a crafted request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-06-24T05:33:28.779Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6292", "state": "PUBLISHED", "dateUpdated": "2026-06-24T12:37:35.046Z", "dateReserved": "2026-04-14T17:59:20.836Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-06-24T05:33:28.779Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object