Nguyen Duong

**Name of the Vulnerable Software and Affected Versions** Simple Custom Login Page versions prior to 1.0.4 **Description** The Simple Custom Login Page plugin for WordPress contains a Stored Cross-Site Scripting issue. The problem occurs because color settings fields are registered and stored without a `sanitize callback` function, leading to insufficient input sanitization. When these values are output into a style block on the 'wp-login.php' endpoint, the use of `esc attr()` fails to escape characters such as `;`, `{`, `}`, `/`, or `*`, which are critical in a CSS context. Authenticated attackers with administrator-level access can inject arbitrary CSS rules into the login page. These rules are rendered for all unauthenticated visitors, potentially enabling UI-redress and credential-phishing attacks. The affected variables include `Page Background`, `Form Background`, `Text Color`, and `Link Color`. **Recommendations** Update the plugin to a version later than 1.0.3. As a temporary mitigation, avoid modifying the `Page Background`, `Form Background`, `Text Color`, and `Link Color` settings until the update is applied.