HIGH
robertpeake
CVE published 2026-05-28
CVE-2026-2374
The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the `$_SERVER['PHP_SELF']` superglobal in versions up to and including 1.8.0. The vulnerability exists because the `authenticate()` function stores unsanitized output from `basename($_SERVER['PHP_SELF'])` in the `login_nocaptcha_error` WordPress option when login attempts occur from non-standard page [truncated]