CVE-2026-1503

Name of the Vulnerable Software and Affected Versions login register plugin for WordPress versions prior to 1.2.1

Description The login register plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS). The issue stems from a lack of nonce validation on the settings page and inadequate input sanitization and output escaping of the login register login post parameter. This allows unauthenticated attackers to inject malicious web scripts into pages. These scripts will execute when a user accesses the injected page through a forged request, provided the attacker can trick an administrator into performing an action, such as clicking a link.

Recommendations Update the login register plugin to version 1.2.1 or later. Ensure nonce validation is implemented on the settings page. Implement proper input sanitization and output escaping for the login register login post parameter.