WP reCaptcha by WebDesignBy < 2.0 – Admin+ Stored XSS | CVE 2026-4512 | Plugin Vulnerabilities

Description

The plugin does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptcha_js() function. This allows administrators on multisite installations (who do not have the unfiltered_html capability) to inject arbitrary JavaScript that executes for all visitors to the WordPress login page.

Proof of Concept

1. Install WP reCaptcha by WebDesignBy v1.7 on a multisite WordPress installation
2. Log in as a site administrator
3. Navigate to Settings > reCaptcha
4. Enter the following payload in the Site Key field: </script><svg/onload=alert(123)//>
5. Save settings

Affects Plugins

webdesignby-recaptcha

Fixed in 2.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mustafa Ahmed

Submitter

Mustafa Ahmed

Submitter website

https://fortressmssp.com

Verified

Yes

WPVDB ID

6dfb4378-fe6a-4462-af10-8e7504e3d593

Timeline

Publicly Published

2026-04-02 (about 23 days ago)

Added

2026-04-02 (about 22 days ago)

Last Updated

2026-04-02 (about 22 days ago)

Other

Published

Title

Published

2025-05-30

Title

Royal Elementor Addons and Templates < 1.7.1021 - Contributor+ Stored XSS

Published

2024-02-06

Title

All-In-One Security (AIOS) – Security and Firewall < 5.2.6 - Reflected Cross-Site Scripting

Published

2025-06-19

Title

Hostel < 1.1.5.9 - Admin+ Stored XSS

Published

2024-05-10

Title

Envo's Elementor Templates & Widgets for WooCommerce < 1.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-10-17

Title

Conversios.io < 6.5.4 - Reflected XSS