Cross-Site Scripting in reCaptcha Plugin for WordPress by WebDesignBy
CVE-2026-4512

Currently unrated

Key Information:

Vendor: WordPress
Status: Recaptcha By Webdesignby
Vendor: CVE Published:; 23 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-4512?

The reCaptcha plugin developed by WebDesignBy for WordPress prior to version 2.0 is vulnerable to Cross-Site Scripting (XSS). The vulnerability arises from improper sanitization and escaping of the Site Key setting, which is outputted directly in a JavaScript context within the grecaptcha_js() function. This oversight allows administrators on multisite installations, lacking unfiltered_html capability, to introduce arbitrary JavaScript code. Consequently, any injected JavaScript can execute for all users accessing the WordPress login page, posing significant security risks to site visitors.

Affected Version(s)

reCaptcha by WebDesignBy 0 < 2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-4512 - Proof of Concept

References

https://wpscan.com/vulnerability/6dfb4378-fe6a-4462-af10-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 23, 2026
👾
Exploit known to exist
Apr 23, 2026
Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Mar 20, 2026

Credit

Mustafa Ahmed

WPScan

CVE-2026-4512 Data

JSON