CVE-2026-10100 Overview
CVE-2026-10100 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Simple Custom Login Page plugin for WordPress, affecting versions up to and including 1.0.3. The flaw resides in the plugin's color settings fields, including Page Background, Form Background, Text Color, and Link Color. Authenticated attackers with administrator-level access can inject arbitrary CSS rules that render on the wp-login.php page for all unauthenticated visitors. The injected styles enable UI-redress and credential-phishing attacks against site users.
Critical Impact
Attackers with admin privileges can persist malicious CSS on the WordPress login page, manipulating its appearance to facilitate credential theft against any visitor.
Affected Products
- Simple Custom Login Page plugin for WordPress, versions up to and including 1.0.3
- WordPress installations using the plugin with default Settings API configuration
- Any wp-login.php page rendered with stored color option values from the plugin
Discovery Timeline
- 2026-06-02 - CVE-2026-10100 published to the National Vulnerability Database (NVD)
- 2026-06-02 - Last updated in the NVD database
Technical Details for CVE-2026-10100
Vulnerability Analysis
The Simple Custom Login Page plugin registers color settings through WordPress's Settings API using register_setting() without specifying a sanitize_callback parameter. Stored values flow through update_option() unsanitized. When the plugin outputs these values on wp-login.php, it wraps them in a <style> block and applies esc_attr(). The esc_attr() function is designed for HTML attribute contexts, not CSS contexts. It does not escape CSS-significant characters including ;, {, }, /, or *. An attacker who controls the option value can therefore terminate the current CSS declaration and inject arbitrary rules.
Root Cause
The root cause is incorrect output encoding for the rendering context. Color option values are written into a stylesheet, but the plugin uses an HTML attribute escaper. The absence of a CSS sanitizer at write time, combined with an unsuitable escaper at read time, permits CSS rule injection. See the Wordfence Vulnerability Analysis and the WordPress Plugin Code Reference for the affected code paths.
Attack Vector
An authenticated administrator submits a crafted value into one of the four color settings fields. The payload closes the existing CSS property and adds attacker-controlled rules. When any unauthenticated visitor loads wp-login.php, the injected CSS is served as part of the page. Attackers can overlay fake login forms, hide legitimate elements, replace branding, or load remote assets via CSS to perform UI redress and harvest credentials. Refer to the plugin source for the output path for the exact rendering logic.
Detection Methods for CVE-2026-10100
Indicators of Compromise
- Unexpected CSS rules, selectors, or url() references inside the <style> block rendered on wp-login.php.
- Color option values in the wp_options table containing CSS-significant characters such as ;, {, }, /*, or */.
- Outbound requests from login page visitors to unfamiliar domains triggered by background-image or @import rules.
Detection Strategies
- Query the WordPress options table for the plugin's color option keys and inspect values for non-color content.
- Compare the HTML output of wp-login.php against a known-good baseline and alert on CSS deltas.
- Review WordPress audit logs for administrator updates to the Simple Custom Login Page settings page.
Monitoring Recommendations
- Monitor administrator-level account activity, especially settings changes performed by rarely used accounts.
- Alert on new outbound network destinations referenced from the login page DOM or CSS resources.
- Track plugin version inventory across WordPress sites to identify unpatched installations of Simple Custom Login Page <= 1.0.3.
How to Mitigate CVE-2026-10100
Immediate Actions Required
- Update the Simple Custom Login Page plugin to a fixed version once released by the maintainer.
- Audit the four color option values and reset any that contain characters outside the expected hex color format.
- Review administrator accounts and revoke or rotate credentials for any unexpected or unused privileged users.
Patch Information
At the time of NVD publication on 2026-06-02, the vulnerability affects versions up to and including 1.0.3. Consult the Wordfence advisory and the plugin's official WordPress.org page for the current fixed release. Apply the vendor patch as soon as it is available.
Workarounds
- Deactivate the Simple Custom Login Page plugin until a patched version is installed.
- Restrict administrator access using the principle of least privilege and enforce multi-factor authentication on all admin accounts.
- Deploy a Web Application Firewall (WAF) rule to strip or block CSS-significant characters in requests targeting the plugin's settings endpoint.
# Configuration example: temporarily disable the plugin via WP-CLI
wp plugin deactivate simple-custom-login-page
wp option get scp_options --format=json
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
