CVE-2026-1088 in Login Page Editor Plugin
Summary
by MITRE • 01/24/2026
The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login page settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/25/2026
The vulnerability identified as CVE-2026-1088 affects the Login Page Editor plugin for WordPress, a widely used tool that allows administrators to customize the appearance and functionality of their site's login page. This particular flaw represents a critical security weakness that undermines the integrity of the plugin's configuration management system. The vulnerability exists in all versions up to and including 1.2, making it a persistent threat across multiple releases of the software. The issue stems from the plugin's failure to implement proper authentication mechanisms for its administrative functions, creating an exploitable gap that malicious actors can leverage to manipulate the login page settings without proper authorization.
The technical root cause of this vulnerability lies in the absence of nonce validation within the devotion_loginform_process() AJAX action handler. Nonce validation serves as a cryptographic token that ensures requests originate from legitimate sources and have not been tampered with during transmission. Without this crucial security measure, the plugin's AJAX endpoint becomes vulnerable to cross-site request forgery attacks where attackers can craft malicious requests that appear to come from authenticated users. This flaw specifically impacts the plugin's ability to verify the authenticity of administrative actions, allowing unauthorized modifications to login page configurations through carefully crafted forged requests that exploit the trust relationship between the web browser and the targeted WordPress installation.
The operational impact of this vulnerability extends beyond simple configuration changes, as it provides attackers with the capability to fundamentally alter how users access the site's administrative interface. An attacker who successfully exploits this vulnerability could modify login page settings to redirect users to malicious domains, change login form behavior, or disable critical security features. The attack requires only that an administrator be tricked into clicking on a malicious link, making it particularly dangerous in environments where administrators frequently browse untrusted websites or receive phishing emails. This social engineering component significantly increases the attack surface and makes the vulnerability particularly challenging to defend against. The consequences could include unauthorized access to administrative panels, data breaches, or the complete compromise of WordPress installations that rely on this plugin for login page customization.
Mitigation strategies for this vulnerability should focus on immediate remediation through plugin updates to versions that properly implement nonce validation, as well as network-level protections such as web application firewalls that can detect and block suspicious AJAX requests. Administrators should also implement additional security measures including regular security audits, monitoring of plugin configuration changes, and user education about phishing risks. The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications, and represents a clear violation of the principle of least privilege in security design. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and credential access, as it enables attackers to manipulate administrative functions without proper authentication. Organizations should also consider implementing automated patch management systems to ensure timely updates and reduce the window of exposure for known vulnerabilities.