CVE-2026-4512

low

Description

The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptcha_js() function. This allows administrators on multisite installations (who do not have the unfiltered_html capability) to inject arbitrary JavaScript that executes for all visitors to the WordPress login page.

References

https://wpscan.com/vulnerability/6dfb4378-fe6a-4462-af10-8e7504e3d593/

Details

Source: Mitre, NVD

Published: 2026-04-23

Updated: 2026-04-23

Risk Information

CVSS v2

Base Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:M/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 3.5

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Severity: Low

EPSS

EPSS: 0.00009

Detections

Analytics