Stored Cross-Site Scripting Vulnerability in Login No Captcha reCAPTCHA Plugin for WordPress
CVE-2026-2374

7.2HIGH

Key Information:

Vendor: WordPress
Status: Login No Captcha Recaptcha
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-2374?

The Login No Captcha reCAPTCHA plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability. This security flaw allows an attacker to exploit the $_SERVER['PHP_SELF'] superglobal in the authenticate() function. When a user attempts to log in from a non-standard page, the plugin captures and stores unsanitized data, which can later be injected into the admin dashboard. This risk enables unauthenticated attackers to execute malicious scripts on the dashboard when an administrator accesses it shortly after the attack.

Affected Version(s)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/login-recaptch...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Feb 11, 2026

Credit

ISMAILSHADOW

CVE-2026-2374 Data

JSON