Skip to main content

reCAPTCHA for Asgaros Forum EUVDEUVD-2026-43445

| CVE-2026-57365 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Network-delivered DOM XSS requires low-privilege authentication and victim interaction; availability impact is not a credible outcome of client-side script injection and is assessed as N.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 11:29 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Chandwani reCAPTCHA (v2 &amp; v3) for Asgaros Forum recaptcha-for-asgaros-forum allows DOM-Based XSS.This issue affects reCAPTCHA (v2 &amp; v3) for Asgaros Forum: from n/a through <= 1.1.0.

AnalysisAI

DOM-Based Cross-Site Scripting in the reCAPTCHA (v2 & v3) for Asgaros Forum WordPress plugin (all versions through 1.1.0) enables authenticated low-privilege forum users to inject client-side scripts that execute in victims' browsers. The CVSS Scope:Changed metric (S:C) indicates the injected scripts can affect browser contexts beyond the vulnerable plugin component itself - including the broader WordPress session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register low-privilege forum account
Delivery
Submit crafted DOM XSS payload via forum interaction
Exploit
Victim authenticated user visits affected forum page
Execution
Client-side JavaScript processes unsanitized input and writes payload to DOM
Persist
Malicious script executes in victim's browser session
Impact
Session token or WordPress nonce exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid low-privilege account on the target WordPress site (consistent with PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (Medium) reflects AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers as a low-privilege user on a WordPress site running the vulnerable plugin and submits a crafted input through a forum interaction that the plugin processes client-side without sanitization. When an administrator or another authenticated user visits the affected forum page, the malicious DOM-injected script executes in their browser, potentially exfiltrating session cookies or performing privileged WordPress actions on their behalf.
Remediation No confirmed patched version is available from the provided intelligence data - the affected range is stated as 'through <= 1.1.0' with no explicit fix version cited. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy