PT-2026-44172 · WordPress · Login No Captcha Recaptcha

Ismailshadow

·

Published

2026-05-28

·

Updated

2026-05-28

·

CVE-2026-2374

CVSS v3.1

7.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Login No Captcha reCAPTCHA versions prior to 1.8.1
Description The plugin is subject to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. The issue occurs because the authenticate() function stores the unsanitized output of the $ SERVER['PHP SELF'] superglobal in the login nocaptcha error WordPress option during login attempts from non-standard pages, such as 'xmlrpc.php'. Subsequently, the admin notices() function outputs this stored value into the admin dashboard HTML without proper escaping. This allows unauthenticated attackers to inject arbitrary web scripts that execute when an administrator with a whitelisted IP address accesses the dashboard within 30 seconds of the attack.
Recommendations Update to a version later than 1.8.0.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-2374

Affected Products

Login No Captcha Recaptcha