ReCaptcha Integration for WordPress < 1.2.8 – Admin+ Stored XSS | CVE 2024-37946 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

wp-recaptcha-integration

Fixed in 1.2.8

References

CVE

URL

https://patchstack.com/database/vulnerability/wp-recaptcha-integration/wordpress-recaptcha-integration-for-wordpress-plugin-1-2-5-cross-site-scripting-xss-vulnerability

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

LuxF0z

Verified

No

WPVDB ID

d01e5db7-1232-464b-bd82-55dffe987029

Timeline

Publicly Published

2024-07-10 (about 1 year ago)

Added

2024-07-18 (about 1 year ago)

Last Updated

2025-11-11 (about 6 months ago)

Other

Published

Title

Published

2021-05-12

Title

Photo Gallery < 1.5.67 - Authenticated Stored Cross-Site Scripting via Gallery Title

Published

2024-06-06

Title

WP Visitors Tracker < 2.4 - Reflected Cross-Site Scripting

Published

2021-09-20

Title

Sociable <= 4.3.4.1 - Admin+ Stored Cross-Site Scripting

Published

2014-08-01

Title

MF Gig Calendar 0.9.4.1 - URL Cross-Site Scripting

Published

2022-01-03

Title

NextScripts: Social Networks Auto-Poster < 4.3.24 - Unauthenticated Stored XSS