CVE-2026-4512 Overview
The reCaptcha by WebDesignBy WordPress plugin before version 2.0 contains a stored Cross-Site Scripting (XSS) vulnerability in the Site Key setting. The plugin fails to properly sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptcha_js() function. This allows administrators on multisite installations (who do not have the unfiltered_html capability) to inject arbitrary JavaScript that executes for all visitors to the WordPress login page.
Critical Impact
Malicious administrators on WordPress multisite installations can inject JavaScript code that executes in the context of all visitors accessing the WordPress login page, potentially enabling credential theft, session hijacking, or malicious redirects.
Affected Products
- reCaptcha by WebDesignBy WordPress plugin versions prior to 2.0
- WordPress multisite installations using the affected plugin
- WordPress login pages where the vulnerable plugin is active
Discovery Timeline
- 2026-04-23 - CVE CVE-2026-4512 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-4512
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw exists in the grecaptcha_js() function which outputs the Site Key configuration value directly into a JavaScript string context without proper sanitization or encoding.
In WordPress multisite environments, administrators typically do not possess the unfiltered_html capability, which normally restricts their ability to inject raw HTML and JavaScript. However, this vulnerability bypasses that restriction by allowing arbitrary JavaScript injection through the Site Key field, which is then rendered to all visitors of the WordPress login page.
The attack requires authenticated access with administrative privileges on a WordPress multisite installation, making it a lower-severity threat compared to unauthenticated XSS vulnerabilities. However, in shared hosting or managed WordPress environments where multiple administrators have access, this vulnerability presents a significant risk for malicious insider threats.
Root Cause
The root cause of this vulnerability is insufficient output encoding in the grecaptcha_js() function. When the Site Key setting is output into a JavaScript string context, special characters that could break out of the string context (such as quotes, backslashes, and script tags) are not properly escaped. This allows an attacker to inject arbitrary JavaScript code by crafting a malicious Site Key value that terminates the intended string and introduces new JavaScript statements.
Attack Vector
The attack is network-based and requires an authenticated administrator on a WordPress multisite installation to configure a malicious Site Key value through the plugin settings interface. Once the malicious payload is stored, it executes automatically for every visitor who loads the WordPress login page, making this a stored XSS attack.
The vulnerability mechanism involves an administrator accessing the plugin settings, entering a crafted JavaScript payload in the Site Key field that breaks out of the string context, and the payload being stored in the WordPress database. Subsequently, when any user visits the WordPress login page, the grecaptcha_js() function outputs the malicious Site Key value, and the injected JavaScript executes in the visitor's browser. For detailed technical information, see the WPScan Vulnerability Report.
Detection Methods for CVE-2026-4512
Indicators of Compromise
- Unusual or suspicious values in the reCaptcha Site Key plugin setting containing JavaScript syntax
- JavaScript errors or unexpected behavior on the WordPress login page
- User reports of unexpected browser behavior or redirects when accessing the login page
- Audit logs showing modification of the reCaptcha plugin settings by unusual administrator accounts
Detection Strategies
- Implement Content Security Policy (CSP) headers to restrict inline script execution
- Monitor WordPress plugin settings for unexpected modifications using file integrity monitoring
- Review administrator activity logs for unauthorized configuration changes
- Use web application firewalls (WAF) to detect and block XSS payloads in plugin settings
Monitoring Recommendations
- Enable WordPress audit logging to track all administrator actions and plugin configuration changes
- Configure alerting for modifications to security-related plugin settings
- Implement browser-based XSS detection through CSP violation reporting
- Regularly audit multisite administrator accounts and permissions
How to Mitigate CVE-2026-4512
Immediate Actions Required
- Update the reCaptcha by WebDesignBy plugin to version 2.0 or later immediately
- Review current Site Key configuration values for any suspicious content or JavaScript code
- Audit administrator accounts on WordPress multisite installations for unauthorized access
- Consider temporarily disabling the plugin until the update can be applied
Patch Information
The vulnerability is addressed in version 2.0 of the reCaptcha by WebDesignBy WordPress plugin. The patch implements proper output encoding for the Site Key setting when rendered in JavaScript contexts. Administrators should update to the latest version through the WordPress plugin update mechanism or by downloading the updated version directly. For more information, refer to the WPScan Vulnerability Report.
Workarounds
- If updating is not immediately possible, temporarily deactivate the reCaptcha by WebDesignBy plugin until a patched version can be installed
- Implement strict Content Security Policy headers to mitigate potential XSS execution
- Restrict administrator access on multisite installations to only trusted users
- Consider using an alternative reCaptcha plugin that does not have this vulnerability
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
