Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rozx Recaptcha – wp recaptcha-wp allows Stored XSS.This issue affects Recaptcha – wp: from n/a through <= 0.2.6.
Published: 2025-09-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Recaptcha – wp plugin contains improper neutralization of input during web page generation, allowing a stored XSS vulnerability. Based on the description, it is inferred that malicious code can be injected into content handled by the plugin and run in the browsers of any user who views that content, enabling client‑side attacks such as credential theft or defacement.

Affected Systems

All WordPress installations that use the Recaptcha – wp plugin from rozx, any release up to and including 0.2.6, are affected. The vulnerability is not tied to a specific WordPress version but to the plugin itself.

Risk and Exploitability

The CVSS v3 score of 5.9 indicates a moderate severity assessment, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would typically abuse any data‑entry field exposed by the plugin to store malicious scripts that are subsequently rendered for users who access the affected content.

Generated by OpenCVE AI on May 1, 2026 at 06:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Recaptcha – wp to a version newer than 0.2.6 if a patch is available from the vendor.
  • If no update exists, disable or remove the plugin until a fixed release is issued.
  • Apply WordPress input sanitization functions (such as wp_kses) or install a trusted security plugin to filter out script content before storage, as an interim mitigation.

Generated by OpenCVE AI on May 1, 2026 at 06:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31232 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rozx Recaptcha &#8211; wp allows Stored XSS. This issue affects Recaptcha &#8211; wp: from n/a through 0.2.6.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rozx Recaptcha &#8211; wp recaptcha-wp allows Stored XSS.This issue affects Recaptcha &#8211; wp: from n/a through <= 0.2.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rozx Recaptcha – wp recaptcha-wp allows Stored XSS.This issue affects Recaptcha – wp: from n/a through <= 0.2.6.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rozx Recaptcha &#8211; wp allows Stored XSS. This issue affects Recaptcha &#8211; wp: from n/a through 0.2.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rozx Recaptcha &#8211; wp recaptcha-wp allows Stored XSS.This issue affects Recaptcha &#8211; wp: from n/a through <= 0.2.6.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rozx Recaptcha &#8211; wp allows Stored XSS. This issue affects Recaptcha &#8211; wp: from n/a through 0.2.6.
Title WordPress Recaptcha – wp Plugin <= 0.2.6 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:56.768Z

Reserved: 2025-09-25T15:28:19.138Z

Link: CVE-2025-60177

cve-icon Vulnrichment

Updated: 2025-09-26T13:19:01.675Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:47.617

Modified: 2026-04-28T19:34:40.253

Link: CVE-2025-60177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:30:10Z

Weaknesses