CVE-2025-60177

Vulnerability

Description The Recaptcha – wp WordPress plugin (slug: recaptcha-wp) versions from n/a through 0.2.6 contain a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This means input supplied by an authenticated user is not properly sanitized before being stored and later rendered in the admin interface or other pages, allowing arbitrary JavaScript to be injected.

Exploitation

To exploit this issue, an attacker must have at least the required privilege level (e.g., a contributor or higher) to submit input that gets persisted. The attack requires user interaction — a privileged user (such as an administrator) must perform an action like clicking a link, visiting a crafted page, or submitting a form to trigger the stored payload [1]. No authentication bypass is needed beyond the attacker's own account.

Impact

If successfully exploited, the attacker can inject malicious scripts that execute in the context of other users' browsers. This can be used to redirect visitors, display unauthorized advertisements, steal session cookies, or deface the site [1]. The vulnerability has a CVSS v3 score of 5.9 (Medium) and is known to be used in mass-exploit campaigns targeting thousands of WordPress sites.

Mitigation

Users are strongly advised to update the Recaptcha – wp plugin to a patched version as soon as possible. If updating is not feasible, contacting the hosting provider or a web developer for assistance is recommended [1]. No workaround other than disabling the plugin is currently available.