Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Network-delivered DOM XSS requires low-privilege authentication and victim interaction; availability impact is not a credible outcome of client-side script injection and is assessed as N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Chandwani reCAPTCHA (v2 & v3) for Asgaros Forum recaptcha-for-asgaros-forum allows DOM-Based XSS.This issue affects reCAPTCHA (v2 & v3) for Asgaros Forum: from n/a through <= 1.1.0.
AnalysisAI
DOM-Based Cross-Site Scripting in the reCAPTCHA (v2 & v3) for Asgaros Forum WordPress plugin (all versions through 1.1.0) enables authenticated low-privilege forum users to inject client-side scripts that execute in victims' browsers. The CVSS Scope:Changed metric (S:C) indicates the injected scripts can affect browser contexts beyond the vulnerable plugin component itself - including the broader WordPress session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid low-privilege account on the target WordPress site (consistent with PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 (Medium) reflects AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers as a low-privilege user on a WordPress site running the vulnerable plugin and submits a crafted input through a forum interaction that the plugin processes client-side without sanitization. When an administrator or another authenticated user visits the affected forum page, the malicious DOM-injected script executes in their browser, potentially exfiltrating session cookies or performing privileged WordPress actions on their behalf. |
| Remediation | No confirmed patched version is available from the provided intelligence data - the affected range is stated as 'through <= 1.1.0' with no explicit fix version cited. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43445