HIGH 7.2

CVE-2026-2374

The Login No Captcha reCAPTCHA WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in all versions up to 1.8.0. An unauthenticated attacker can exploit this by triggering a login attempt from a non-standard login page URL (such as xmlrpc.php), which causes the plugin to store malicious JavaScript in the WordPress admin dashboard settings. When an administrator logs in within 30 seconds of the attack, that JavaScript executes in their browser with the administrator's privileges. The vulnerability requires the admin to have a whitelisted IP address configured in the plugin, which is a common configuration for sites restricting login access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `$_SERVER['PHP_SELF']` superglobal in all versions up to, and including, 1.8.0. This is due to the `authenticate()` function storing the unsanitized output of `basename($_SERVER['PHP_SELF'])` in the `login_nocaptcha_error` WordPress option when a login attempt is made from a non-standard login page (e.g., xmlrpc.php). The `admin_notices()` function then echoes this stored value directly into the admin dashboard HTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator with a whitelisted IP address visits the WordPress dashboard within 30 seconds of the attack.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper handling of the PHP_SELF superglobal in the plugin's authenticate() function. When a login attempt occurs from a non-standard URL, the plugin extracts the filename using basename($_SERVER['PHP_SELF']) and stores it unsanitized in the 'login_nocaptcha_error' WordPress option. The admin_notices() function later retrieves and outputs this value directly to the admin dashboard HTML without escaping or sanitization. An attacker can craft a malicious URL where PHP_SELF contains script tags—for example, by accessing wp-login.php?/evil.php%22onload=%22alert(1) or similar techniques—causing the stored payload to execute when admins view the dashboard. The time window of 30 seconds provides a practical exploitation window if the admin is monitoring login activity.

Business impact

This vulnerability allows attackers to execute arbitrary JavaScript in the administrative dashboard of affected WordPress sites. Potential impacts include credential theft via admin credential harvesting, installation of backdoors, plugin/theme modification, user privilege escalation, malware injection into published content, and defacement. Because the attack is stored and triggered upon admin dashboard access, it can affect multiple administrators if they log in during the exploitation window. Sites using this plugin's IP whitelist feature for access control are at higher risk since the feature suggests administrative sensitivity around site access.

Affected systems

All versions of the Login No Captcha reCAPTCHA WordPress plugin up to and including version 1.8.0 are vulnerable. The attack requires the plugin to be active and configured with IP whitelisting. WordPress installations on any hosting environment (shared, dedicated, or managed) are affected if they meet these conditions.

Exploitability

Exploitability is high. The vulnerability requires no authentication and no special user interaction beyond an administrator visiting their dashboard, which is routine behavior. An attacker can automate the attack by sending a crafted request to wp-login.php with a malicious PHP_SELF value, then waiting for any admin to access the dashboard. The 30-second window is sufficient for opportunistic attacks, and the ability to inject arbitrary JavaScript means attackers can capture credentials, inject backdoors, or perform other malicious actions with admin-level privileges. The CVSS score of 7.2 reflects this moderate-to-high severity due to network exploitability and stored persistence.

Remediation

Update the Login No Captcha reCAPTCHA plugin to a patched version released after version 1.8.0. Verify the specific version number against the plugin's official WordPress.org repository or the vendor's security advisory. Until patching is possible, deactivate and remove the plugin if not critical to operations. As a temporary mitigation, restrict wp-login.php and xmlrpc.php access via web server firewall rules or .htaccess to trusted IP ranges, though this does not fully address the underlying vulnerability.

Patch guidance

Visit the WordPress plugin repository page for Login No Captcha reCAPTCHA or check the vendor's official security advisory to identify the patched version number and release date. Download and install the latest available version once verified. Test the update in a staging environment first to ensure compatibility with your WordPress version and other plugins. After deployment, verify that the plugin is active and functioning correctly, and confirm that IP whitelisting rules still operate as expected. Monitor plugin changelogs for security patches regularly.

Detection guidance

Monitor WordPress admin dashboard access logs for unusual patterns, particularly logins from unexpected locations or times if your admin base is stable. Check the 'login_nocaptcha_error' option in the wp_options table for suspicious content using WordPress database queries or admin tools. Audit web server logs (Apache/Nginx access logs) for requests to wp-login.php containing URL-encoded script tags, percent-encoded characters, or paths like xmlrpc.php in the query string. Enable WordPress security logging plugins that capture authentication attempts and dashboard access. Look for JavaScript console errors or unexpected inline scripts in admin dashboard HTML when viewing the page source.

Why prioritize this

This vulnerability should be prioritized for immediate patching despite its moderate CVSS score. The attack is unauthenticated, has no user-interaction requirement from the attacker's perspective, and results in stored XSS with admin-level impact. Even sites without known active exploitation should patch urgently because the vulnerability is trivial to exploit and the impact—credential theft or backdoor installation—is severe. Sites with exposed or non-standard login URLs face elevated risk.

Risk score, explained

The CVSS 3.1 score of 7.2 (HIGH) is justified by a network-based attack vector, low attack complexity, no privilege requirements, and cross-scope impact. The vulnerability is unauthenticated and remotely exploitable with trivial effort. However, the score does not reflect the stored XSS nature, which increases real-world risk compared to reflected XSS. The 30-second execution window and IP whitelist requirement slightly reduce effective exploitability in practice, preventing a critical rating, but the stored persistence and admin context elevate it above typical moderate vulnerabilities.

Frequently asked questions

How can an unauthenticated attacker trigger the vulnerability if the plugin has IP whitelisting enabled?

IP whitelisting in this plugin only applies to which IPs can successfully log in; it does not prevent unauthenticated attackers from submitting login requests. An attacker can send a login attempt from any IP address to wp-login.php with a crafted URL containing malicious input in the PHP_SELF parameter. The plugin stores the payload regardless of whether the login succeeds or the IP is whitelisted. When a whitelisted admin later accesses the dashboard, the stored script executes in their browser.

What is the difference between this vulnerability and a typical reflected XSS attack?

This is a stored XSS vulnerability, meaning the malicious payload persists in the WordPress database (in the login_nocaptcha_error option) and is delivered to victims repeatedly whenever they view the admin dashboard—not just when they click a malicious link. This makes it significantly more dangerous because administrators who have no knowledge of the attack will be compromised when they perform normal administrative tasks.

Can this vulnerability be exploited if xmlrpc.php is already disabled?

Disabling xmlrpc.php reduces but does not eliminate the attack surface. The vulnerability can also be triggered via other non-standard login URLs or URL path manipulation (e.g., /wp-login.php/nonexistent.php or similar techniques). The safest mitigation is to patch the plugin to remove the vulnerability entirely, as disabling specific URLs does not address the root cause.

If we don't have admin users with whitelisted IPs, are we still at risk?

The plugin's IP whitelist feature is optional; if it's not configured, your site is still vulnerable. Any attacker can trigger the stored XSS by submitting a login request with a malicious PHP_SELF value. The whitelist does not prevent the attack—it only controls who can complete authentication. Even if an attacker cannot log in, their stored payload will execute when any admin visits the dashboard.

This analysis is based on vulnerability data published as of 2026-06-17. CVSS scores and severity ratings are provided by NVD and should be considered in the context of your specific environment. Patch version numbers and release dates must be verified against the official WordPress plugin repository and vendor security advisories before deployment. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the analysis date, but this does not indicate lower real-world risk. Organizations should not delay patching pending KEV inclusion. Testing patches in non-production environments is strongly recommended. For the most current information, consult the official plugin page at wordpress.org/plugins and any published CVE advisories from the plugin vendor. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2025-11262HIGH

    CVE-2025-11262: Link Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance

  • CVE-2025-14773HIGH

    CVE-2025-14773: ABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment

  • CVE-2025-15654HIGH

    CVE-2025-15654: Fox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)

  • CVE-2025-52759HIGH

    CVE-2025-52759: Reflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)

  • CVE-2025-67448HIGH

    CVE-2025-67448: Neterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)

  • CVE-2026-24751HIGH

    CVE-2026-24751: Kiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)

  • CVE-2026-24752HIGH

    CVE-2026-24752: Kiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)

  • CVE-2026-33245HIGH

    CVE-2026-33245: React Router 7.7.0-7.13.1 RSC XSS Vulnerability – Patch Available