HarborGuard / CVE
Back to search
HIGHCVE-2026-2374Published Modified CNA Wordfence

CVE-2026-2374: Login No Captcha reCAPTCHA <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting via PHP_SELF

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `$_SERVER['PHP_SELF']` superglobal in all versions up to, and including, 1.8.0. This is due to the `authenticate()` function storing the unsanitized output of `basename($_SERVER['PHP_SELF'])` in the `login_nocaptcha_error` WordPress option when a login attempt is made from a non-standard login page (e.g., xmlrpc.php). The `admin_notices()` function then echoes this stored value directly into the admin dashboard HTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator with a whitelisted IP address visits the WordPress dashboard within 30 seconds of the attack.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stored cross-site scripting (XSS) in the Login No Captcha reCAPTCHA plugin for WordPress (versions up to and including 1.8.0) allows an unauthenticated remote attacker to inject arbitrary JavaScript into the WordPress admin dashboard. The plugin's authenticate() function writes the unsanitized value of basename($_SERVER['PHP_SELF']) into a WordPress option on any login attempt against a non-standard endpoint such as xmlrpc.php; the admin_notices() function then echoes that stored value directly into dashboard HTML without escaping. When an administrator visits the dashboard within roughly 30 seconds of the attack, the injected script executes in their browser session. No fix versions have been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-2374 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Wordfence feed) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Any image layer containing the robertpeake/Login No Captcha reCAPTCHA plugin at version 1.8.0 or earlier is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.2 HIGH (v3.1) and is capable of weighting that score against each customer environment's compliance policy, escalating findings for internet-facing WordPress deployments where administrator session hijacking carries elevated business risk. Routed findings land in the inbox of the team or individual mapped to WordPress plugin ownership within each customer org.

Available
Patch

Because no fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream publishes a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the WordPress login or xmlrpc.php endpoint over the network to submit a crafted login request that plants the malicious value.

  • AuthenticationNot required

    No account or credentials are needed; the injection is triggered by an unauthenticated login attempt against the target endpoint.

  • Victim interactionRequired

    A WordPress administrator must visit the dashboard after the malicious value has been stored, causing their browser to execute the injected script.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the target endpoint is reachable, though the attacker must time the attack so an administrator loads the dashboard within the approximately 30-second window before the stored value is overwritten or expires.

Blast Radius

  • An attacker whose script runs in the administrator's browser session can read the session cookie or auth tokens and replay them to take over the admin account.
  • The injected script can create new administrator-level WordPress accounts or modify existing user credentials, giving the attacker persistent access to the site.
  • Arbitrary content, including redirects or malware download prompts, can be injected into pages served to end users of the WordPress site.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-2374, HarborGuard continuously re-checks the Wordfence advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment a remediated version is published. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads without manual intervention. While no patch is available, recommended compensating controls include blocking external access to xmlrpc.php via a Web Application Firewall rule or network policy, restricting the WordPress admin dashboard to known IP ranges to reduce the window in which a planted script can execute, and auditing WordPress option values for unexpected HTML or script content in login_nocaptcha_error. HarborGuard surfaces this CVE with a HIGH severity flag on any image containing the affected plugin version, ensuring it remains visible in triage queues until a fix is available.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.2
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • robertpeake / Login No Captcha reCAPTCHA
    ≤ 1.8.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
References