PatchSiren cyber security CVE debrief
CVE-2026-6292 manuelpadillac CVE debrief
The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This vulnerability is due to a completely broken nonce validation in the enter_mpclp_login_options() function. The function contains an inverted check (if wp_verify_nonce(...) { return false; }) and is missing the required action parameter for wp_verify_nonce(). As a result, the nonce check is effectively dead code: it never blocks malicious requests because a CSRF-supplied empty/invalid nonce always returns false, satisfying the inverted condition to continue execution. Furthermore, the settings-update handler is hooked on init without any capability check. This makes it possible for unauthenticated attackers to modify all plugin settings, including login page background, logo URL, image dimensions, button colors, and login message, by tricking a logged-in administrator into submitting a crafted request.
- Vendor
- manuelpadillac
- Product
- MP Customize Login Page
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-24
- Original CVE updated
- 2026-06-25
- Advisory published
- 2026-06-24
- Advisory updated
- 2026-06-25
Who should care
Administrators of WordPress sites using the MP Customize Login Page plugin should be aware of this vulnerability and take immediate action to protect their sites. This vulnerability allows unauthenticated attackers to modify plugin settings, potentially leading to further exploitation or compromise of the site.
Technical summary
The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to a flawed nonce validation mechanism in the enter_mpclp_login_options() function. The function incorrectly handles nonce verification, allowing attackers to bypass security checks. Additionally, the settings-update handler lacks a capability check, enabling unauthenticated attackers to modify plugin settings by tricking administrators into submitting crafted requests.
Defensive priority
High priority should be given to updating the MP Customize Login Page plugin to a version that fixes the CSRF vulnerability. In the meantime, site administrators should monitor their sites for suspicious activity and consider implementing additional security measures to prevent exploitation.
Recommended defensive actions
- Update the MP Customize Login Page plugin to the latest version.
- Monitor WordPress site logs for suspicious requests.
- Implement additional security measures, such as Content Security Policy (CSP) headers.
- Educate administrators on the risks of CSRF attacks and the importance of verifying request authenticity.
- Consider using a Web Application Firewall (WAF) to detect and prevent CSRF attacks.
Evidence notes
The vulnerability was reported by security researchers at Wordfence, who discovered the broken nonce validation and lack of capability checks in the plugin's settings-update handler. The CVE record and NVD details provide further information on the vulnerability.
Official resources
This article is AI-assisted and based on the supplied source corpus.