CVE-2025-2074
Description
The Advanced Google reCAPTCHA plugin for WordPress is vulnerable to generic SQL Injection via the ‘sSearch’ parameter in all versions up to, and including, 1.29 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries, particularly when the plugin’s settings page hasn’t been visited and its welcome message has not been dismissed. This issue can be used to extract sensitive information from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Advanced Google reCAPTCHA plugin <=1.29 has SQL injection via 'sSearch' parameter, allowing authenticated subscribers to extract sensitive data.
Vulnerability
Details The Advanced Google reCAPTCHA plugin for WordPress [1] versions up to 1.29 is vulnerable to SQL injection via the 'sSearch' parameter. The plugin fails to properly escape user-supplied input and does not prepare SQL queries adequately, allowing attackers with Subscriber-level access or higher to inject additional SQL queries.
Exploitation
Exploitation requires authentication with at least Subscriber privileges. The attack is particularly feasible when the plugin's settings page hasn't been visited and its welcome message hasn't been dismissed. The attacker can append malicious SQL queries to existing ones, leveraging the flawed handling of the 'sSearch' parameter.
Impact
Successful exploitation enables attackers to extract sensitive information from the WordPress database, such as user credentials or other confidential data. This could lead to further compromise of the site.
Mitigation
As of the publication date, no patched version has been released. Users are advised to update to the latest version if available, or consider disabling the plugin until a security update is deployed.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.29
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- plugins.trac.wordpress.org/browser/advanced-google-recaptcha/trunk/libs/admin.phpnvd
- plugins.trac.wordpress.org/browser/advanced-google-recaptcha/trunk/libs/ajax.phpnvd
- plugins.trac.wordpress.org/browser/advanced-google-recaptcha/trunk/libs/ajax.phpnvd
- plugins.trac.wordpress.org/browser/advanced-google-recaptcha/trunk/libs/ajax.phpnvd
- plugins.trac.wordpress.org/browser/advanced-google-recaptcha/trunk/libs/setup.phpnvd
- plugins.trac.wordpress.org/changeset/3262396/nvd
- wordpress.org/plugins/advanced-google-recaptcha/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/963a9b30-9194-4abc-aa69-eb333cbddef3nvd
News mentions
0No linked articles in our index yet.