CVE-2026-10100: Stored XSS in Simple Custom Login Page WordPress Plugin – MEDIUM Severity
The Simple Custom Login Page plugin for WordPress contains a security flaw that allows administrators to inadvertently inject malicious code into the login page viewed by all users. When a site admin configures colors for the login page through the plugin's settings, an attacker with admin access can craft CSS injection payloads in those color fields. Because the plugin doesn't properly validate these inputs before displaying them, an attacker can break out of the intended styling context and insert arbitrary CSS rules. This enables phishing attacks—for example, by hiding the real login form or overlaying a fake one to steal credentials.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
The Simple Custom Login Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color settings fields (Page Background, Form Background, Text Color, Link Color) in versions up to and including 1.0.3. This is due to insufficient input sanitization of the color option values (they were registered with register_setting() and stored via the Settings API/update_option() with no sanitize_callback) combined with the values being output into a <style> block on wp-login.php using esc_attr(), which is incorrect for a CSS context (it does not escape ;, {, }, / or *). This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary CSS rules into the login page that are rendered for all unauthenticated visitors, enabling UI-redress and credential-phishing attacks.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10100 is a Stored Cross-Site Scripting (XSS) vulnerability in Simple Custom Login Page up to version 1.0.3. The vulnerability arises from two compounding weaknesses: first, the plugin registers color settings (Page Background, Form Background, Text Color, Link Color) without a sanitize_callback parameter in register_setting(), meaning user-supplied values bypass sanitization. Second, these unsanitized values are output into a <style> block using esc_attr(), which escapes HTML attribute metacharacters but not CSS metacharacters such as semicolons, braces, slashes, and asterisks. An authenticated administrator can exploit this by inserting payloads like `red; } body { background: url('...') }` to break the CSS context and inject arbitrary rules. Because the resulting page is served to all unauthenticated visitors, the malicious CSS executes in their browsers, enabling UI redress and credential harvesting.
Business impact
This vulnerability poses a direct threat to site user security and trust. While the attacker must hold administrator-level privileges, a compromised admin account—common in shared hosting environments or following lateral movement—grants access to manipulate the login experience for all site visitors. An attacker can visually disguise the legitimate login form, overlay a credential-stealing form, or redirect users to a phishing page, all without users detecting the manipulation. For WordPress sites hosting user accounts, this can result in mass credential compromise. Additionally, if the site is part of a larger ecosystem (e.g., multi-tenant hosting), a single compromised admin account can affect all visitors to that installation.
Affected systems
Simple Custom Login Page plugin versions up to and including 1.0.3 are affected. The vulnerability requires administrator-level access to exploit, so only WordPress installations with this plugin active are at risk. The attack vector is network-based and affects all unauthenticated visitors to the wp-login.php page once the malicious setting is saved.
Exploitability
Exploitation requires two conditions: an attacker must possess or compromise a WordPress administrator account, and the Simple Custom Login Page plugin must be installed and activated. The attack itself is trivial—no complex manipulation or race conditions are needed. Once settings are saved, the malicious CSS is automatically rendered to all login page visitors. However, this is not a zero-day or remotely exploitable vulnerability from an unauthenticated state. The barrier to exploitation is gaining admin access, not bypassing the plugin's code.
Remediation
Site operators should update the Simple Custom Login Page plugin to a patched version released after June 2026 (verify against the vendor advisory for the specific version). Administrators should review their active plugins and disable or remove this plugin if an update is not available. As an interim measure, restrict administrator account creation and implement strong credential policies to minimize the risk of admin account compromise. Consider using Web Application Firewall (WAF) rules to detect and block CSS injection patterns on login pages if the plugin cannot be immediately patched.
Patch guidance
Check the Simple Custom Login Page plugin repository or the vendor's website for an available security update released after the publication date of June 2, 2026. Apply the patch through the WordPress admin dashboard under Plugins > Updates. If no patch is available from the vendor, consider switching to an alternative login customization plugin with better input validation practices. Test the patched version in a staging environment before deploying to production to ensure compatibility with your site's theme and other plugins.
Detection guidance
Monitor WordPress administrator activity, particularly changes to plugin settings or option values related to login page styling. Check the wp_options table for color settings stored by this plugin and look for CSS metacharacters (semicolons, braces, slashes, asterisks) within those values. Review server logs and browser developer tools for suspicious CSS rules rendered on wp-login.php. Implement file integrity monitoring on the plugin directory to detect unauthorized modifications. Use security plugins that audit options table changes and alert on suspicious stored data patterns.
Why prioritize this
Although assigned a MEDIUM severity score (CVSS 4.4), this vulnerability warrants prompt attention because it directly enables phishing and credential theft targeting all site visitors. The low exploitability barrier (admin access required) is offset by the high business impact—compromised user credentials have cascading effects. Organizations running this plugin should prioritize patching or removal. Sites with strict admin access controls may lower the priority, but those with shared hosting or multiple admins should treat this as elevated risk.
Risk score, explained
The CVSS 3.1 score of 4.4 (MEDIUM) reflects the attack complexity: an attacker needs high-level privileges (PR:H) and the plugin must be active, but once exploited, the attack is consistent and affects all login page visitors (S:C, Scope Changed). Confidentiality and integrity are impacted (C:L, I:L) through credential theft and UI manipulation, but availability is not affected (A:N). The score does not account for the likelihood of admin compromise, only the severity of the attack if admin access is obtained.
Frequently asked questions
Can this vulnerability be exploited without administrator access?
No. The vulnerability requires an authenticated WordPress user with administrator-level privileges to modify the plugin's color settings. An unauthenticated attacker cannot directly inject the malicious CSS. However, if an admin account is compromised through phishing, weak credentials, or a separate vulnerability, this plugin can then be weaponized.
Does updating WordPress core protect against this vulnerability?
No. This is a vulnerability in the Simple Custom Login Page plugin, not WordPress core. Updating WordPress does not remediate plugin-specific flaws. You must update the plugin itself or remove it entirely.
What color fields are affected by this vulnerability?
All four color settings are vulnerable: Page Background, Form Background, Text Color, and Link Color. Any of these fields can be used to inject arbitrary CSS rules into the wp-login.php page.
If I deactivate the plugin, am I protected?
Deactivating the plugin stops the malicious CSS from being rendered, but previously stored malicious payloads remain in the wp_options table. Uninstalling the plugin removes both the code and the stored settings. Deactivation is a quick interim measure; uninstallation or updating to a patched version is the proper remediation.
This analysis is provided for informational purposes only and does not constitute legal or professional advice. Readers should verify all technical details against the vendor's official advisory and conduct their own testing before deploying patches. The vulnerability description, CVSS score, and affected versions are sourced from official CVE and vendor documentation; SEC.co does not independently verify exploitation or confirm the completeness of fix versions. Organizations should consult their security teams and follow their internal change management procedures when patching production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1