WordPress Login Page Editor Plugin Cross-Site Request Forgery Vulnerability

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Login Page Editor plugin for WordPress, affecting all versions up to and including 1.2. The vulnerability arises from a lack of nonce validation in the 'devotion_loginform_process()' AJAX action, allowing unauthenticated attackers to manipulate the plugin's login page settings. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

Impact

Exploitation of this vulnerability allows for unauthorized changes to be made to the login page settings of the affected WordPress site.

Added: Jan 24, 2026, 8:23 AM

Updated: Jan 24, 2026, 8:23 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.9

remediation

0.0

relevance

2.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.9

remediation

0.0

relevance

2.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Login Page Editor Plugin Cross-Site Request Forgery Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating