PatchSiren cyber security CVE debrief
CVE-2026-2374 robertpeake CVE debrief
The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the `$_SERVER['PHP_SELF']` superglobal in versions up to and including 1.8.0. The vulnerability exists because the `authenticate()` function stores unsanitized output from `basename($_SERVER['PHP_SELF'])` in the `login_nocaptcha_error` WordPress option when login attempts occur from non-standard pages such as xmlrpc.php. The `admin_notices()` function subsequently echoes this stored value directly into admin dashboard HTML without proper escaping. Unauthenticated attackers can exploit this to inject arbitrary web scripts that execute when an administrator with a whitelisted IP address accesses the WordPress dashboard within 30 seconds of the attack. The vulnerability was published on 2026-05-28 and carries a CVSS 3.1 score of 7.2 (HIGH).
- Vendor
- robertpeake
- Product
- Login No Captcha reCAPTCHA
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
WordPress site administrators using Login No Captcha reCAPTCHA plugin; security teams monitoring WordPress plugin vulnerabilities; developers maintaining WordPress installations with custom login page configurations
Technical summary
The vulnerability stems from improper sanitization of the `basename($_SERVER['PHP_SELF'])` value before storage in WordPress options, combined with lack of output escaping when rendering admin notices. Attack vectors include crafted requests to non-standard WordPress endpoints (xmlrpc.php, custom login pages) where the PHP_SELF value can be manipulated to contain malicious JavaScript payloads. The stored payload executes in the context of authenticated admin sessions when the `admin_notices()` hook fires during dashboard rendering.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Login No Captcha reCAPTCHA plugin to version 1.8.1 or later
- Review WordPress admin dashboard access logs for suspicious activity from non-standard login endpoints
- Implement Content Security Policy headers to mitigate XSS impact
- Consider temporarily disabling the plugin if immediate patching is not feasible
- Monitor for unauthorized xmlrpc.php access attempts
Evidence notes
Vulnerability confirmed via WordPress plugin repository source code analysis. The `authenticate()` function at line 281 and `admin_notices()` function at line 377 in login-nocaptcha.php were identified as the vulnerable code paths. A changeset (3549342) addressing the issue has been committed to the plugin repository.
Official resources
2026-05-28