CVE-2026-2374
Description
The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $_SERVER['PHP_SELF'] superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate() function storing the unsanitized output of basename($_SERVER['PHP_SELF']) in the login_nocaptcha_error WordPress option when a login attempt is made from a non-standard login page (e.g., xmlrpc.php). The admin_notices() function then echoes this stored value directly into the admin dashboard HTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator with a whitelisted IP address visits the WordPress dashboard within 30 seconds of the attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Login No Captcha reCAPTCHA plugin allows unauthenticated attackers to inject scripts via PHP_SELF when admin visits dashboard.
Vulnerability
The Login No Captcha reCAPTCHA plugin for WordPress versions up to and including 1.8.0 contains a stored cross-site scripting vulnerability in the authenticate() function. When a login attempt is made from a non-standard login page (e.g., xmlrpc.php), the function stores the unsanitized output of basename($_SERVER['PHP_SELF']) into the login_nocaptcha_error WordPress option. The admin_notices() function then echoes this stored value directly into the admin dashboard HTML without escaping [1][2][3][4].
Exploitation
An unauthenticated attacker can trigger the vulnerability by making a login request to a non-standard login page such as xmlrpc.php with a crafted PHP_SELF value containing malicious JavaScript. The attacker does not need authentication or any special network position beyond being able to send HTTP requests to the WordPress site. The malicious payload is stored in the login_nocaptcha_error option and will be executed when an administrator with a whitelisted IP address visits the WordPress dashboard within 30 seconds of the attack [1].
Impact
Successful exploitation allows the attacker to inject arbitrary web scripts into the admin dashboard. This can lead to session hijacking, credential theft, or further compromise of the WordPress site. The attack requires the administrator to have a whitelisted IP address (as configured in the plugin) and to visit the dashboard within the 30-second window, but no other user interaction is needed [1].
Mitigation
As of the publication date (2026-05-28), no fixed version has been released. Users should disable the plugin until a patch is available. The vulnerability is not listed in the CISA KEV as of this writing. Administrators can temporarily remove the whitelist IP feature or restrict access to non-standard login pages as a workaround [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of `$_SERVER['PHP_SELF']` before storing it in a WordPress option, and missing output escaping when rendering that option in admin notices."
Attack vector
An unauthenticated attacker sends a login request to a non-standard login page such as `xmlrpc.php` with a crafted `PHP_SELF` value containing JavaScript payload. The `authenticate()` function stores `basename($_SERVER['PHP_SELF'])` — which includes the attacker-controlled script name — into the `login_nocaptcha_error` option without sanitization [ref_id=1]. When an administrator whose IP address is whitelisted visits the WordPress dashboard within 30 seconds, the `admin_notices()` function echoes the stored value directly into the admin page HTML, executing the injected script [ref_id=1].
Affected code
The vulnerability resides in the `authenticate()` function, which stores the unsanitized output of `basename($_SERVER['PHP_SELF'])` into the `login_nocaptcha_error` WordPress option. The `admin_notices()` function then echoes this stored value directly into the admin dashboard HTML without escaping [ref_id=1].
What the fix does
Version 1.8.1 escapes the `PHP_SELF` value before storing it in the database and escapes output in admin notices to prevent stored XSS [ref_id=1]. The changelog explicitly states: "Security: escape output in admin notices to prevent stored XSS" and "Security: escape PHP_SELF value before storing in database" [ref_id=1]. These changes ensure that any attacker-controlled input is properly sanitized before being persisted and rendered.
Preconditions
- configThe administrator's IP address must be whitelisted in the plugin settings
- networkThe attacker must be able to send HTTP requests to the WordPress site (no authentication required)
- inputThe administrator must visit the WordPress dashboard within 30 seconds of the attack
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- plugins.trac.wordpress.org/browser/login-recaptcha/tags/1.7.3/login-nocaptcha.phpnvd
- plugins.trac.wordpress.org/browser/login-recaptcha/tags/1.7.3/login-nocaptcha.phpnvd
- plugins.trac.wordpress.org/browser/login-recaptcha/trunk/login-nocaptcha.phpnvd
- plugins.trac.wordpress.org/browser/login-recaptcha/trunk/login-nocaptcha.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- wordpress.org/plugins/login-recaptcha/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/99dfce3b-2b47-41bf-8b20-b53fb9f061a7nvd
News mentions
0No linked articles in our index yet.