CVE-2026-4512

The reCaptcha by WebDesignBy WordPress plugin prior to version 2.0 fails to sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptcha_js() function. This lack of output encoding allows stored cross-site scripting (XSS) when the setting is rendered on the login page [1].

The vulnerability is exploitable by administrators on multisite installations who do not have the unfiltered_html capability. Such users can inject arbitrary JavaScript into the Site Key field, which is then executed for all visitors to the WordPress login page. No additional authentication is required from the attacker beyond their existing admin privileges on the multisite network [1].

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of every visitor's browser session on the login page. This can lead to session hijacking, credential theft, or redirection to malicious sites, affecting all users including site administrators and regular visitors [1].

The issue has been fixed in version 2.0 of the plugin. Users are strongly advised to update to the latest version to mitigate the risk. No workaround is currently available beyond updating [1].