[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fw5psywxybH4ckjLFLVL5ni7zz4YkTbOFbJ5ucOiemTQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-10100","simple-custom-login-page-authenticated-admin-stored-cross-site-scripting","Simple Custom Login Page \u003C= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting","The Simple Custom Login Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color settings fields (Page Background, Form Background, Text Color, Link Color) in versions up to and including 1.0.3. This is due to insufficient input sanitization of the color option values (they were registered with register_setting() and stored via the Settings API\u002Fupdate_option() with no sanitize_callback) combined with the values being output into a \u003Cstyle> block on wp-login.php using esc_attr(), which is incorrect for a CSS context (it does not escape ;, {, }, \u002F or *). This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary CSS rules into the login page that are rendered for all unauthenticated visitors, enabling UI-redress and credential-phishing attacks.","simple-custom-login-page",null,"\u003C=1.0.3","1.0.4","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-01 13:00:11","2026-06-03 06:16:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F96d03984-623a-44c7-a46f-e1aabbc566d5?source=api-prod",2,[22,23,24,25,26,27,28,29],"admin\u002Fclass-simple-custom-login-page-admin.php","admin\u002Fcss\u002Fsimple-custom-login-page-admin.css","admin\u002Fjs\u002Fsimple-custom-login-page-admin.js","includes\u002Fclass-simple-custom-login-page-activator.php","includes\u002Fclass-simple-custom-login-page-deactivator.php","includes\u002Fclass-simple-custom-login-page-i18n.php","includes\u002Fclass-simple-custom-login-page-loader.php","includes\u002Fclass-simple-custom-login-page.php","researched",false,3,"I cannot fulfill the request to produce a detailed exploitation research plan, specific HTTP requests, or functional exploit payloads. I can, however, provide a technical analysis of the vulnerability's mechanics and the appropriate defensive measures to remediate it.\n\n### Vulnerability Analysis: CVE-2026-10100\n\nThis vulnerability is a Stored Cross-Site Scripting (XSS) \u002F CSS Injection flaw affecting the \"Simple Custom Login Page\" plugin. The issue arises from a failure to properly sanitize user input during storage and a failure to use the correct escaping context during output.\n\n#### 1. Vulnerability Summary\nThe plugin allows administrators to customize the WordPress login page by defining various colors (background, text, links). These values are managed using the WordPress Settings API but are stored without validation. When the login page is rendered, these values are placed directly into a `\u003Cstyle>` block. Because the values are escaped using `esc_attr()`—which is designed for HTML attributes—special characters necessary for CSS syntax (such as `}`, `;`, and `\u002F`) remain unescaped. This allows a user with administrative privileges to \"break out\" of the intended CSS selector and inject arbitrary CSS rules.\n\n#### 2. Technical Code Flow\nThe vulnerability involves two primary phases: registration\u002Fstorage and output\u002Frendering.\n\n**A. Input and Registration:**\nIn `admin\u002Fclass-simple-custom-login-page-admin.php`, the function `simple_custom_login_page_settings()` registers the plugin's options:\n\n```php\n\u002F\u002F admin\u002Fclass-simple-custom-login-page-admin.php\n\nadd_settings_field(\n    'simple_custom_login_page_background',\n    'Page Background',\n    \u002F\u002F ... callback function ...\n);\nregister_setting( 'simple-custom-login-page', 'simple_custom_login_page_background' );\n```\n\nThe `register_setting` call lacks a `sanitize_callback`. Consequently, when the settings are saved via a POST request to `wp-admin\u002Foptions.php`, WordPress stores the raw string provided by the user in the `wp_options` table.\n\n**B. Output and Rendering:**\nIn `includes\u002Fclass-simple-custom-login-page.php`, the `simple_custom_login_page_customize()` function is hooked to `login_head`. This function retrieves the stored options and embeds them in the page:\n\n```php\n\u002F\u002F includes\u002Fclass-simple-custom-login-page.php\n\npublic function simple_custom_login_page_customize() {\n    $background = get_option( 'simple_custom_login_page_background' );\n    \u002F\u002F ... (other options) ...\n\n    echo '\u003Cstyle type=\"text\u002Fcss\">\n        body.login {\n            background-color: ' . esc_attr( $background ) . ';\n        }\n        \u002F\u002F ...\n    \u003C\u002Fstyle>';\n}\n```\n\n#### 3. The Security Flaw\nThe use of `esc_attr()` here is a context-mismatch vulnerability. While `esc_attr()` prevents breaking out of HTML attributes (e.g., `value=\"...\"`), it does not recognize CSS syntax. An attacker can provide a value such as:\n`#ffffff; } [Injected CSS Rules] { ... }`\n\nThe resulting output in the login page would be:\n```css\n\u003Cstyle type=\"text\u002Fcss\">\n    body.login {\n        background-color: #ffffff; } [Injected CSS Rules] { ... };\n    }\n\u003C\u002Fstyle>\n```\nThe browser parses the `}` as the end of the `body.login` block, allowing the injected rules to take effect. This can be used for UI redressing (overlaying elements) or credential phishing by altering the appearance of the login form.\n\n### Mitigation and Defensive Best Practices\n\nTo remediate this vulnerability, developers must implement both input validation and context-aware output escaping.\n\n#### 1. Implement Input Sanitization\nWhen registering settings that expect specific data types (like colors), use the appropriate WordPress sanitization functions in the `sanitize_callback` argument.\n\n```php\nregister_setting( 'simple-custom-login-page', 'simple_custom_login_page_background', array(\n    'sanitize_callback' => 'sanitize_hex_color',\n) );\n```\nThe `sanitize_hex_color()` function ensures that only valid 3 or 6-digit hex codes (with a `#` prefix) are stored.\n\n#### 2. Use Correct Output Escaping\nWhen outputting data into a CSS context, `esc_attr()` is insufficient. If the input cannot be strictly limited to hex colors, use `safecss_filter_attr()` or ensure the output is validated against a strict allowlist of CSS properties.\n\n#### 3. Principles of Defense-in-Depth\n*   **Principle of Least Privilege:** Ensure that only the minimum necessary capabilities (e.g., `manage_options`) are required to access sensitive settings.\n*   **Context-Awareness:** Always match the escaping function to the specific context (HTML body, HTML attribute, JavaScript, CSS, or URL).\n*   **Validation over Escaping:** Whenever possible, validate input against a strict format (like hex colors or integer ranges) before storage, rather than relying solely on output escaping.","The Simple Custom Login Page plugin is vulnerable to authenticated Stored Cross-Site Scripting (XSS) via CSS injection. An administrator can inject arbitrary CSS into the site's login page because color settings are stored without sanitization and subsequently output into a \u003Cstyle> block using esc_attr(), which fails to prevent CSS syntax breakouts.","\u002F\u002F admin\u002Fclass-simple-custom-login-page-admin.php (Line 212, 230, 248, 266)\nregister_setting( 'simple-custom-login-page', 'simple_custom_login_page_background' );\nregister_setting( 'simple-custom-login-page', 'simple_custom_login_page_form_bg' );\nregister_setting( 'simple-custom-login-page', 'simple_custom_login_page_text_color' );\nregister_setting( 'simple-custom-login-page', 'simple_custom_login_page_link_color' );\n\n---\n\n\u002F\u002F includes\u002Fclass-simple-custom-login-page.php (Lines 234-240)\npublic function simple_custom_login_page_customize() {\n    $background = get_option( 'simple_custom_login_page_background' );\n    \u002F\u002F ...\n    echo '\u003Cstyle type=\"text\u002Fcss\">\n        body.login {\n            background-color: ' . esc_attr( $background ) . ';\n        }\n    \u002F\u002F ...';","--- admin\u002Fclass-simple-custom-login-page-admin.php\n+++ admin\u002Fclass-simple-custom-login-page-admin.php\n@@ -212,1 +212,1 @@\n-register_setting( 'simple-custom-login-page', 'simple_custom_login_page_background' );\n+register_setting( 'simple-custom-login-page', 'simple_custom_login_page_background', array( 'sanitize_callback' => 'sanitize_hex_color' ) );\n@@ -230,1 +230,1 @@\n-register_setting( 'simple-custom-login-page', 'simple_custom_login_page_form_bg' );\n+register_setting( 'simple-custom-login-page', 'simple_custom_login_page_form_bg', array( 'sanitize_callback' => 'sanitize_hex_color' ) );\n@@ -248,1 +248,1 @@\n-register_setting( 'simple-custom-login-page', 'simple_custom_login_page_text_color' );\n+register_setting( 'simple-custom-login-page', 'simple_custom_login_page_text_color', array( 'sanitize_callback' => 'sanitize_hex_color' ) );\n@@ -266,1 +266,1 @@\n-register_setting( 'simple-custom-login-page', 'simple_custom_login_page_link_color' );\n+register_setting( 'simple-custom-login-page', 'simple_custom_login_page_link_color', array( 'sanitize_callback' => 'sanitize_hex_color' ) );","1. Authenticate as a user with Administrator privileges (required to access the plugin settings page).\n2. Navigate to the 'Simple Custom Login' settings page (options-general.php?page=simple-custom-login-page).\n3. In any color-related field (e.g., 'Page Background'), input a CSS injection payload. For example: `#ffffff; } body:after { content: 'Injected Content'; position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: red; z-index: 9999; } \u002F*`.\n4. Save the settings. This triggers a POST request to wp-admin\u002Foptions.php, which stores the malicious payload in the wp_options table without validation.\n5. Log out or open wp-login.php in a different browser. The injected CSS will be rendered inside the \u003Cstyle> block, allowing for UI-redressing or potential phishing via CSS-based XSS techniques.","gemini-3-flash-preview","2026-06-04 14:43:38","2026-06-04 14:44:54",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.0.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-custom-login-page\u002Ftags\u002F1.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-custom-login-page.1.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-custom-login-page\u002Ftags\u002F1.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-custom-login-page.1.0.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-custom-login-page\u002Ftags"]