Cross-Site Request Forgery in MP Customize Login Page Plugin for WordPress
CVE-2026-6292

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Mp Customize Login Page
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-6292?

The MP Customize Login Page plugin for WordPress contains a serious Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.0. The flaw originates from a faulty nonce validation process in the enter_mpclp_login_options() function, which incorrectly applies an inverted check that always permits execution regardless of the nonce condition. This opens the door for unauthenticated attackers to manipulate plugin settings, which could include alterations to the login page's background, logo URL, image dimensions, button colors, and login message. Importantly, these malicious actions can be executed by tricking a logged-in administrator, posing a significant risk to site security.

Affected Version(s)

MP Customize Login Page 0 <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/mp-customize-l...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Muhammad Nur Ibnu Hubab

CVE-2026-6292 Data

JSON