Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in trof Captchelfie – Captcha by Selfie captchelfie-captcha-by-selfie allows Reflected XSS.This issue affects Captchelfie – Captcha by Selfie: from n/a through <= 1.0.7.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected XSS flaw in the Captchelfie – Captcha by Selfie WordPress plugin. Improper neutralization of input allows a malicious user to inject script that runs in the context of other visitors, potentially compromising account data, session cookies, or performing phishing impersonation. This weakness stems from CWE‑79 and can affect any site that uses the plugin, giving attackers the ability to steal credentials or inject further attacks.

Affected Systems

WordPress sites that have the Captchelfie – Captcha by Selfie plugin version 1.0.7 or earlier, including all earlier releases, are impacted. The plugin is managed by trof and distributed via WordPress plugin repository. Versions newer than 1.0.7 are not known to contain this flaw.

Risk and Exploitability

The flaw has a CVSS score of 7.1, indicating substantial risk. EPSS is below 1 % so real‑world exploitation is unlikely at present, and the vulnerability is not listed in CISA's KEV catalog. Attackers could exploit it by persuading users to visit a crafted URL or by injecting data into a form that the plugin reflects back. Since no patch is available yet, sites remain exposed until vendor releases a fixed version.

Generated by OpenCVE AI on May 1, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of the plugin (≥ 1.0.8) once it is released.
  • If no update is available, disable or remove the plugin from the site.
  • Add a Content Security Policy that restricts inline script execution and blocks untrusted sources.

Generated by OpenCVE AI on May 1, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3289 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexey Trofimov Captchelfie – Captcha by Selfie allows Reflected XSS.This issue affects Captchelfie – Captcha by Selfie: from n/a through 1.0.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexey Trofimov Captchelfie – Captcha by Selfie allows Reflected XSS.This issue affects Captchelfie – Captcha by Selfie: from n/a through 1.0.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in trof Captchelfie – Captcha by Selfie captchelfie-captcha-by-selfie allows Reflected XSS.This issue affects Captchelfie – Captcha by Selfie: from n/a through <= 1.0.7.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Sat, 18 Jan 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexey Trofimov Captchelfie – Captcha by Selfie allows Reflected XSS.This issue affects Captchelfie – Captcha by Selfie: from n/a through 1.0.7.
Title WordPress Captchelfie – Captcha by Selfie plugin <= 1.0.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:14.715Z

Reserved: 2025-01-16T11:27:15.897Z

Link: CVE-2025-23620

cve-icon Vulnrichment

Updated: 2025-01-17T17:21:25.263Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T20:15:41.340

Modified: 2026-06-17T08:55:51.410

Link: CVE-2025-23620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T21:15:25Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')