CVE-2026-10100: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pattihis Simple Custom Login Page
The Simple Custom Login Page WordPress plugin up to version 1. 0. 3 contains a stored cross-site scripting (XSS) vulnerability in its color settings fields. This occurs because the plugin fails to properly sanitize input for color options, which are then output unsafely into a CSS context on the login page. Authenticated users with administrator privileges can exploit this to inject arbitrary CSS affecting all unauthenticated visitors, potentially enabling UI redress and credential phishing attacks. The vulnerability has a medium severity with a CVSS score of 4. 4. No official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
CVE-2026-10100 is a stored cross-site scripting vulnerability in the Simple Custom Login Page WordPress plugin (up to version 1.0.3). The issue arises from insufficient input sanitization of color setting fields (Page Background, Form Background, Text Color, Link Color) that are registered and stored without a sanitize callback. These values are then output into a <style> block on wp-login.php using esc_attr(), which does not properly escape characters relevant in CSS context, allowing injection of arbitrary CSS rules. Exploitation requires authenticated administrator-level access and can affect all unauthenticated visitors by altering the login page's appearance, facilitating UI redress and credential phishing.
Potential Impact
An attacker with administrator privileges can inject arbitrary CSS into the login page, which is rendered for all unauthenticated visitors. This can lead to UI redress attacks and credential phishing by manipulating the login interface. The vulnerability does not directly allow code execution or data theft but can be leveraged to deceive users and capture credentials. The CVSS score of 4.4 reflects a medium severity impact with low confidentiality and integrity impact and no availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should restrict access to trusted users only and consider disabling or replacing the plugin to prevent exploitation. Monitoring for plugin updates from the vendor is recommended to apply any forthcoming official patches.
CVE-2026-10100: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pattihis Simple Custom Login Page
Description
The Simple Custom Login Page WordPress plugin up to version 1. 0. 3 contains a stored cross-site scripting (XSS) vulnerability in its color settings fields. This occurs because the plugin fails to properly sanitize input for color options, which are then output unsafely into a CSS context on the login page. Authenticated users with administrator privileges can exploit this to inject arbitrary CSS affecting all unauthenticated visitors, potentially enabling UI redress and credential phishing attacks. The vulnerability has a medium severity with a CVSS score of 4. 4. No official patch or remediation guidance is currently available.
CVSS v3.1
Score 4.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-10100 is a stored cross-site scripting vulnerability in the Simple Custom Login Page WordPress plugin (up to version 1.0.3). The issue arises from insufficient input sanitization of color setting fields (Page Background, Form Background, Text Color, Link Color) that are registered and stored without a sanitize callback. These values are then output into a <style> block on wp-login.php using esc_attr(), which does not properly escape characters relevant in CSS context, allowing injection of arbitrary CSS rules. Exploitation requires authenticated administrator-level access and can affect all unauthenticated visitors by altering the login page's appearance, facilitating UI redress and credential phishing.
Potential Impact
An attacker with administrator privileges can inject arbitrary CSS into the login page, which is rendered for all unauthenticated visitors. This can lead to UI redress attacks and credential phishing by manipulating the login interface. The vulnerability does not directly allow code execution or data theft but can be leveraged to deceive users and capture credentials. The CVSS score of 4.4 reflects a medium severity impact with low confidentiality and integrity impact and no availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should restrict access to trusted users only and consider disabling or replacing the plugin to prevent exploitation. Monitoring for plugin updates from the vendor is recommended to apply any forthcoming official patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-29T15:07:45.775Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1e40ffe29bf47b506f6b94
Added to database: 6/2/2026, 2:33:35 AM
Last enriched: 6/2/2026, 2:49:16 AM
Last updated: 6/2/2026, 4:57:10 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.