CVE-2026-6292: CWE-352 Cross-Site Request Forgery (CSRF) in manuelpadillac MP Customize Login Page
The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This is due to a completely broken nonce validation in the enter_mpclp_login_options() function, which contains an inverted check (if wp_verify_nonce(...) { return false; }) and is missing the required action parameter for wp_verify_nonce(). As a result, the nonce check is effectively dead code: it never blocks malicious requests because a CSRF-supplied empty/invalid nonce always returns false, satisfying the inverted condition to continue execution. Furthermore, the settings-update handler is hooked on init without any capability check. This makes it possible for unauthenticated attackers to modify all plugin setting, including login page background, logo URL, image dimensions, button colors, and login message, by tricking a logged-in administrator into submitting a crafted request.
AI Analysis
Technical Summary
CVE-2026-6292 describes a CSRF vulnerability in the MP Customize Login Page plugin for WordPress, affecting all versions up to and including 1.0. The vulnerability is caused by a broken nonce validation in the enter_mpclp_login_options() function, where the nonce check is inverted (if wp_verify_nonce(...) { return false; }) and lacks the required action parameter, effectively disabling nonce protection. Additionally, the settings-update handler is hooked on the init action without any capability checks, allowing unauthenticated attackers to modify plugin settings by tricking an authenticated administrator into submitting a malicious request. This can lead to unauthorized changes to login page appearance and messages.
Potential Impact
An attacker can exploit this vulnerability to modify all plugin settings, including login page background, logo URL, image dimensions, button colors, and login message, without authentication. This could result in unauthorized visual changes to the login page, potentially facilitating phishing or social engineering attacks. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should avoid interacting with untrusted links or sites while logged into WordPress and consider disabling or removing the vulnerable plugin to prevent exploitation.
CVE-2026-6292: CWE-352 Cross-Site Request Forgery (CSRF) in manuelpadillac MP Customize Login Page
Description
The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This is due to a completely broken nonce validation in the enter_mpclp_login_options() function, which contains an inverted check (if wp_verify_nonce(...) { return false; }) and is missing the required action parameter for wp_verify_nonce(). As a result, the nonce check is effectively dead code: it never blocks malicious requests because a CSRF-supplied empty/invalid nonce always returns false, satisfying the inverted condition to continue execution. Furthermore, the settings-update handler is hooked on init without any capability check. This makes it possible for unauthenticated attackers to modify all plugin setting, including login page background, logo URL, image dimensions, button colors, and login message, by tricking a logged-in administrator into submitting a crafted request.
CVSS v3.1
Score 4.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-6292 describes a CSRF vulnerability in the MP Customize Login Page plugin for WordPress, affecting all versions up to and including 1.0. The vulnerability is caused by a broken nonce validation in the enter_mpclp_login_options() function, where the nonce check is inverted (if wp_verify_nonce(...) { return false; }) and lacks the required action parameter, effectively disabling nonce protection. Additionally, the settings-update handler is hooked on the init action without any capability checks, allowing unauthenticated attackers to modify plugin settings by tricking an authenticated administrator into submitting a malicious request. This can lead to unauthorized changes to login page appearance and messages.
Potential Impact
An attacker can exploit this vulnerability to modify all plugin settings, including login page background, logo URL, image dimensions, button colors, and login message, without authentication. This could result in unauthorized visual changes to the login page, potentially facilitating phishing or social engineering attacks. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should avoid interacting with untrusted links or sites while logged into WordPress and consider disabling or removing the vulnerable plugin to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-14T17:59:20.836Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3b7811eed863c81e5f7212
Added to database: 06/24/2026, 06:24:17 UTC
Last enriched: 06/24/2026, 06:55:00 UTC
Last updated: 06/24/2026, 19:05:16 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.