CVE-2026-2374 Overview
CVE-2026-2374 is a Stored Cross-Site Scripting (XSS) vulnerability in the Login No Captcha reCAPTCHA plugin for WordPress, affecting all versions up to and including 1.8.0. The plugin's authenticate() function stores the unsanitized output of basename($_SERVER['PHP_SELF']) in the login_nocaptcha_error WordPress option whenever a login attempt originates from a non-standard login page such as xmlrpc.php. The admin_notices() function later echoes that stored value into the admin dashboard HTML without escaping. Unauthenticated attackers can inject arbitrary scripts that execute when an administrator with a whitelisted IP visits the WordPress dashboard within 30 seconds of the attack. The vulnerability is tracked as [CWE-79] Improper Neutralization of Input During Web Page Generation.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript that executes in the WordPress administrator's browser session, enabling account takeover, plugin manipulation, and full site compromise.
Affected Products
- Login No Captcha reCAPTCHA plugin for WordPress, all versions through 1.8.0
- WordPress installations exposing xmlrpc.php or other non-standard login endpoints
- Sites configured with administrator IP whitelisting that triggers the vulnerable admin notice flow
Discovery Timeline
- 2026-05-28 - CVE-2026-2374 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-2374
Vulnerability Analysis
The vulnerability is a stored XSS flaw rooted in WordPress plugin code that trusts the $_SERVER['PHP_SELF'] superglobal. When a login attempt is initiated through an endpoint other than wp-login.php, such as xmlrpc.php, the plugin's authenticate() function calls basename($_SERVER['PHP_SELF']) and persists the result in the login_nocaptcha_error WordPress option. The PHP_SELF value can be manipulated by an attacker through crafted request URIs, allowing arbitrary content to enter the database. The plugin's admin_notices() handler then outputs that stored value directly into the rendered HTML of the admin dashboard without applying esc_html(), esc_attr(), or any equivalent sanitization. Because the malicious payload is persisted and later rendered to a privileged user, the impact extends well beyond a reflected XSS, providing an avenue for session-bound actions executed as a WordPress administrator.
Root Cause
The root cause is missing output escaping combined with implicit trust in a user-controlled superglobal. $_SERVER['PHP_SELF'] is derived from the request URI and is attacker-influenced. Storing it without sanitization and echoing it without contextual escaping violates the WordPress Plugin Handbook guidance for escaping on output. See WordPress Plugin Code Line 281 and WordPress Plugin Code Line 377 for the vulnerable storage and rendering paths.
Attack Vector
An unauthenticated remote attacker sends a crafted authentication request to xmlrpc.php (or another non-standard login endpoint) with a manipulated request path that embeds a JavaScript payload. The plugin stores the payload in the options table. When an administrator whose IP is whitelisted loads the dashboard within 30 seconds, the admin notice renders the payload and the script executes in the administrator's authenticated browser context. A proof-of-concept is available at the CVE-2026-2374 PoC repository.
No verified exploit code is reproduced here. Refer to the Wordfence Vulnerability Analysis for technical details of the injection chain.
Detection Methods for CVE-2026-2374
Indicators of Compromise
- Unusual values stored in the login_nocaptcha_error row of the wp_options table containing <script>, onerror=, or HTML event handler strings
- Authentication requests targeting xmlrpc.php with abnormal or encoded path segments in the request URI
- Administrator sessions performing unexpected privileged actions (user creation, plugin installation) shortly after dashboard load
Detection Strategies
- Query the WordPress options table for the login_nocaptcha_error key and inspect the value for HTML or JavaScript markup
- Inspect web server access logs for requests to xmlrpc.php with manipulated path components or URL-encoded characters in PHP_SELF-derived fields
- Monitor for admin-ajax.php or REST API actions originating from administrator sessions immediately following a dashboard load that contained the injected payload
Monitoring Recommendations
- Enable WordPress audit logging for option updates and user role changes
- Forward web server and PHP error logs to a centralized analytics platform for query and correlation
- Alert on anomalous administrator activity that follows requests to non-standard login endpoints within short time windows
How to Mitigate CVE-2026-2374
Immediate Actions Required
- Update the Login No Captcha reCAPTCHA plugin to a version newer than 1.8.0 once the vendor publishes a fixed release
- Inspect the wp_options table and clear any malicious value stored under login_nocaptcha_error
- Rotate administrator credentials and invalidate active sessions if compromise is suspected
- Review installed plugins, themes, and user accounts for unauthorized changes
Patch Information
The vendor changeset addressing the issue is tracked at the WordPress Plugin Changeset. Administrators should consult the WordPress Login Recaptcha Plugin page for the latest released version and apply updates through the WordPress admin dashboard.
Workarounds
- Disable or restrict access to xmlrpc.php at the web server or WAF layer if the endpoint is not required
- Temporarily deactivate the Login No Captcha reCAPTCHA plugin until a patched release is installed
- Remove or narrow administrator IP whitelist entries that trigger the vulnerable admin notice flow
- Deploy a web application firewall rule that blocks request URIs containing HTML tags or script payloads targeting login endpoints
# Example Apache rule to block xmlrpc.php access
<Files "xmlrpc.php">
Require all denied
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
