CVE-2026-1398 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Change WP URL plugin for WordPress, affecting all versions up to and including 1.0. The root cause is the absence or improper implementation of nonce validation on the 'change-wp-url' administrative page. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and not from forged sources. Without proper nonce checks, an attacker can craft a malicious request that, when executed by an authenticated administrator (e.g., by clicking a link), changes the WordPress login URL to an attacker-controlled value. This change can disrupt normal login procedures, potentially locking out administrators or redirecting login attempts. The vulnerability requires no authentication for the attacker but does require user interaction from an administrator, making social engineering a key exploitation vector. The CVSS v3.1 base score is 4.3 (medium), reflecting the low impact on confidentiality and availability but acknowledging the integrity impact on site configuration. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is cataloged under CWE-352, which covers CSRF issues where state-changing requests lack proper anti-CSRF tokens.

The primary impact of this vulnerability is on the integrity of the WordPress site's configuration. By changing the login URL, attackers can cause administrative disruption, potentially locking out legitimate administrators or forcing them to discover the new login path. This can delay incident response and site management, increasing the risk of further compromise. While confidentiality and availability are not directly affected, the altered login URL could be leveraged in chained attacks, such as phishing or brute force attempts on the new login endpoint. Organizations relying on the Change WP URL plugin are at risk of unauthorized administrative changes if an attacker successfully tricks an administrator into clicking a malicious link. This risk is heightened in environments where administrators frequently access the WordPress dashboard and may be targeted via spear-phishing or social engineering campaigns. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation.

To mitigate this vulnerability, organizations should first verify if an updated version of the Change WP URL plugin is available that includes proper nonce validation and apply it promptly. In the absence of an official patch, administrators can implement manual nonce checks by customizing the plugin code to verify WordPress nonces on the 'change-wp-url' page before processing requests. Additionally, administrators should be trained to recognize and avoid clicking suspicious links, especially those received via email or messaging platforms. Employing web application firewalls (WAFs) with rules to detect and block CSRF attempts targeting the plugin's endpoints can provide an additional layer of defense. Restricting administrative access to trusted networks or using VPNs can reduce exposure to external CSRF attacks. Regular monitoring of login URL changes and audit logs can help detect unauthorized modifications early. Finally, consider disabling or replacing the plugin with alternatives that follow secure coding practices if timely patching is not feasible.