MP Customize Login Page <= 1.0 - Cross-Site Request Forgery to Settings Update
Description
The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This is due to a completely broken nonce validation in the enter_mpclp_login_options() function, which contains an inverted check (if wp_verify_nonce(...) { return false; }) and is missing the required action parameter for wp_verify_nonce(). As a result, the nonce check is effectively dead code: it never blocks malicious requests because a CSRF-supplied empty/invalid nonce always returns false, satisfying the inverted condition to continue execution. Furthermore, the settings-update handler is hooked on init without any capability check. This makes it possible for unauthenticated attackers to modify all plugin setting, including login page background, logo URL, image dimensions, button colors, and login message, by tricking a logged-in administrator into submitting a crafted request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=1.0
Patches
Vulnerability mechanics
Root cause
"Inverted nonce validation and missing action parameter in enter_mpclp_login_options() makes the CSRF check dead code, combined with no capability check on the settings-update handler."
Attack vector
An unauthenticated attacker can craft a malicious HTML form that submits a POST request to the WordPress admin area with arbitrary values for plugin settings such as `mpclp-login-image`, `mpclp-login-message`, and button colors. Because the nonce validation is broken (inverted check and missing action parameter), the request passes through without verification. The attacker then tricks a logged-in administrator into submitting this form (e.g., via a social-engineering link or embedded form), resulting in a Cross-Site Request Forgery (CSRF) attack that silently modifies all plugin settings.
Affected code
The vulnerability resides in the `enter_mpclp_login_options()` function in `class.mp-customize-login-page.php` [ref_id=1]. The nonce check is inverted (`if ( wp_verify_nonce( $_POST['_wpnonce'] ) ){ return false; }`) and omits the required action parameter, making it dead code that never blocks requests. Additionally, the handler is hooked on `init` without any capability check, so no authentication or authorization is enforced before updating plugin settings.
What the fix does
The patch is not included in the bundle, but the advisory explains that the fix must correct the nonce validation in `enter_mpclp_login_options()` by calling `wp_verify_nonce()` with the proper action parameter and using a correct conditional (`if ( ! wp_verify_nonce( ... ) )`), and should also add a capability check (e.g., `current_user_can('manage_options')`) before processing settings updates. Without these changes, the nonce check is dead code and the handler is accessible to any unauthenticated request.
Preconditions
- authA logged-in administrator must visit a crafted page or click a malicious link while authenticated to WordPress.
- inputThe attacker must craft a POST request containing the plugin's settings fields (e.g., mpclp-login-image, mpclp-login-message).
- configThe plugin must be installed and active (all versions up to 1.0).
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- plugins.trac.wordpress.org/browser/mp-customize-login-page/tags/1.0/class.mp-customize-login-page.phpmitre
- plugins.trac.wordpress.org/browser/mp-customize-login-page/tags/1.0/class.mp-customize-login-page.phpmitre
- plugins.trac.wordpress.org/browser/mp-customize-login-page/trunk/class.mp-customize-login-page.phpmitre
- plugins.trac.wordpress.org/browser/mp-customize-login-page/trunk/class.mp-customize-login-page.phpmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/b9216875-8cb6-45a7-b23b-19d13f8b49dcmitre
News mentions
0No linked articles in our index yet.