Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Plugin Name: login_register by frankkoenen

    CVE-2026-1503 (GCVE-0-2026-1503)

    Vulnerability from nvd – Published: 2026-03-21 03:26 – Updated: 2026-04-08 17:05
    VLAI
    Title
    login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
    Summary
    The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the 'login_register_login_post' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    frankkoenen Plugin Name: login_register Affected: 0 , ≤ 1.2.0 (semver)
    Create a notification for this product.
    Credits
    Muhammad Nur Ibnu Hubab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1503",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-23T15:07:36.684367Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-23T15:54:20.991Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Plugin Name: login_register",
              "vendor": "frankkoenen",
              "versions": [
                {
                  "lessThanOrEqual": "1.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Nur Ibnu Hubab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the \u0027login_register_login_post\u0027 parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via a forged request granted they can trick an administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:05:59.673Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c82d209-3c69-4d6e-a129-d519f6601540?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/login-register/tags/1.2.0/login_register_admin.php#L12"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/login-register/tags/1.2.0/login_register_admin.php#L14"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/login-register/tags/1.2.0/login_register_admin.php#L69"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-20T15:16:29.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "login_register \u003c= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1503",
        "datePublished": "2026-03-21T03:26:54.649Z",
        "dateReserved": "2026-01-27T19:28:28.952Z",
        "dateUpdated": "2026-04-08T17:05:59.673Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1503 (GCVE-0-2026-1503)

    Vulnerability from cvelistv5 – Published: 2026-03-21 03:26 – Updated: 2026-04-08 17:05
    VLAI
    Title
    login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
    Summary
    The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the 'login_register_login_post' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    frankkoenen Plugin Name: login_register Affected: 0 , ≤ 1.2.0 (semver)
    Create a notification for this product.
    Credits
    Muhammad Nur Ibnu Hubab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1503",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-23T15:07:36.684367Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-23T15:54:20.991Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Plugin Name: login_register",
              "vendor": "frankkoenen",
              "versions": [
                {
                  "lessThanOrEqual": "1.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muhammad Nur Ibnu Hubab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the \u0027login_register_login_post\u0027 parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via a forged request granted they can trick an administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:05:59.673Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c82d209-3c69-4d6e-a129-d519f6601540?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/login-register/tags/1.2.0/login_register_admin.php#L12"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/login-register/tags/1.2.0/login_register_admin.php#L14"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/login-register/tags/1.2.0/login_register_admin.php#L69"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-20T15:16:29.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "login_register \u003c= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1503",
        "datePublished": "2026-03-21T03:26:54.649Z",
        "dateReserved": "2026-01-27T19:28:28.952Z",
        "dateUpdated": "2026-04-08T17:05:59.673Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }