CVE-2026-2374
Deferred Deferred - Pending Action
Stored XSS in Login No Captcha reCAPTCHA WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `$_SERVER['PHP_SELF']` superglobal in all versions up to, and including, 1.8.0. This is due to the `authenticate()` function storing the unsanitized output of `basename($_SERVER['PHP_SELF'])` in the `login_nocaptcha_error` WordPress option when a login attempt is made from a non-standard login page (e.g., xmlrpc.php). The `admin_notices()` function then echoes this stored value directly into the admin dashboard HTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator with a whitelisted IP address visits the WordPress dashboard within 30 seconds of the attack.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-2374
EUVD
EUVD-2026-32704
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
robert_peake login_no_captcha_recaptcha to 1.8.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Login No Captcha reCAPTCHA plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.8.0. This occurs because the plugin's authenticate() function stores an unsanitized value derived from the PHP_SELF server variable into a WordPress option. Later, the admin_notices() function outputs this stored value directly into the admin dashboard HTML without escaping it. As a result, an unauthenticated attacker can inject malicious scripts that execute when an administrator with a whitelisted IP visits the dashboard shortly after the attack.

Compliance Impact

The vulnerability allows unauthenticated attackers to inject arbitrary scripts that execute in the administrator's dashboard, potentially leading to unauthorized access or data exposure.

Such unauthorized script execution and potential data compromise could negatively impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly detail the direct impact on compliance with these regulations.

Mitigation Strategies

To mitigate this vulnerability, you should update the Login No Captcha reCAPTCHA plugin to a version later than 1.8.0 where the issue is fixed.

Additionally, avoid using non-standard login pages such as xmlrpc.php for login attempts, or apply additional security measures to these endpoints.

Ensure that your WordPress installation and plugins are kept up to date to prevent exploitation of known vulnerabilities.

Impact Analysis

This vulnerability allows unauthenticated attackers to execute arbitrary scripts in the context of the WordPress admin dashboard. This can lead to unauthorized actions such as stealing administrator session cookies, performing actions on behalf of the administrator, or injecting malicious content. Since the attack triggers when an admin visits the dashboard, it can compromise the security and integrity of the WordPress site, potentially leading to further exploitation or data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2374. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart