CVE-2026-2374
Stored XSS in Login No Captcha reCAPTCHA WordPress Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| robert_peake | login_no_captcha_recaptcha | to 1.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Login No Captcha reCAPTCHA plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.8.0. This occurs because the plugin's authenticate() function stores an unsanitized value derived from the PHP_SELF server variable into a WordPress option. Later, the admin_notices() function outputs this stored value directly into the admin dashboard HTML without escaping it. As a result, an unauthenticated attacker can inject malicious scripts that execute when an administrator with a whitelisted IP visits the dashboard shortly after the attack.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to execute arbitrary scripts in the context of the WordPress admin dashboard. This can lead to unauthorized actions such as stealing administrator session cookies, performing actions on behalf of the administrator, or injecting malicious content. Since the attack triggers when an admin visits the dashboard, it can compromise the security and integrity of the WordPress site, potentially leading to further exploitation or data breaches.