reCaptcha by WebDesignBy EUVD-2026-25197

| CVE-2026-4512 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-23 WPScan GHSA-gq9g-w427-pc6x
WordPress XSS
3.5
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 23, 2026 - 13:22 vuln.today
CVSS changed
Apr 23, 2026 - 13:22 NVD
3.5 (LOW)
Patch available
Apr 23, 2026 - 08:01 EUVD

DescriptionNVD

The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptcha_js() function. This allows administrators on multisite installations (who do not have the unfiltered_html capability) to inject arbitrary JavaScript that executes for all visitors to the WordPress login page.

AnalysisAI

reCaptcha by WebDesignBy WordPress plugin before version 2.0 fails to sanitize the Site Key setting before injecting it into JavaScript context via the grecaptcha_js() function, enabling site administrators without unfiltered_html capability on multisite installations to inject arbitrary JavaScript that executes for all login page visitors. Publicly available exploit code exists; patch released by vendor.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-25197 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy