The reCaptcha by WebDesignBy WordPress plugin version 1.x mishandles the Site Key setting, embedding it unescaped into a JavaScript string through the grecaptcha_js() function. This flaw allows a user with administrative privileges on a multisite installation to insert arbitrary JavaScript that is rendered for every visitor to the site’s login page. The injected code runs with the context of the page and can steal session cookies, launch phishing attacks, or redirect users to malicious sites, thereby compromising the confidentiality and integrity of the login process.

WordPress sites that have installed the reCaptcha by WebDesignBy plugin with a version prior to 2.0, particularly those configured on a multisite network where administrators lack the unfiltered_html capability. Any installation using this plugin and targeting the login page is at risk.

The overall CVSS v3.1 score is 3.5, indicating a moderate severity, and the EPSS probability falls below 1%, suggesting that exploitation is unlikely though not impossible. The vulnerability is not listed in the CISA KEV catalog. The attack requires administrator access to the WordPress backend; the attacker injects the malicious payload via the Site Key setting in the plugin configuration. Once injected, the malicious JavaScript executes for all end users accessing the login page, offering a broad exposure surface for credential theft or further social engineering. Because the flaw is confined to a configuration setting and requires elevated privileges, the practical risk is limited to sites with compromised or inadvertently overly permissive admin accounts.