PT-2026-44172 · WordPress · Login No Captcha Recaptcha
Ismailshadow
·
Published
2026-05-28
·
Updated
2026-05-28
·
CVE-2026-2374
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Login No Captcha reCAPTCHA versions prior to 1.8.1
Description
The plugin is subject to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. The issue occurs because the
authenticate() function stores the unsanitized output of the $ SERVER['PHP SELF'] superglobal in the login nocaptcha error WordPress option during login attempts from non-standard pages, such as 'xmlrpc.php'. Subsequently, the admin notices() function outputs this stored value into the admin dashboard HTML without proper escaping. This allows unauthenticated attackers to inject arbitrary web scripts that execute when an administrator with a whitelisted IP address accesses the dashboard within 30 seconds of the attack.Recommendations
Update to a version later than 1.8.0.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Login No Captcha Recaptcha