CVE-2026-2374 in Login No Captcha reCAPTCHA Pluginالمعلومات

الملخص

بحسب MITRE • 28/05/2026

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `$_SERVER['PHP_SELF']` superglobal in all versions up to, and including, 1.8.0. This is due to the `authenticate()` function storing the unsanitized output of `basename($_SERVER['PHP_SELF'])` in the `login_nocaptcha_error` WordPress option when a login attempt is made from a non-standard login page (e.g., xmlrpc.php). The `admin_notices()` function then echoes this stored value directly into the admin dashboard HTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator with a whitelisted IP address visits the WordPress dashboard within 30 seconds of the attack.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

Wordfence

حجز

11/02/2026

إفشاء

28/05/2026

الاعتدال

تمت الموافقة

إدخال

VDB-366562

CPE

جاهز

CWE

CWE-79 (مؤكد)

CVSS

7.2 (CNA)

EPSS

0.00137

KEV

لا

النشاطات

منخفض جدًا

القطاع

Hostingprovider

المصادر

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-2374
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-2374
CVE Details	https://www.cvedetails.com/cve/CVE-2026-2374/

التالي ▸نظرة عامة ◂ السابق

Interested in the pricing of exploits?

See the underground prices here!