Login No Captcha reCAPTCHA Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Login No Captcha reCAPTCHA plugin for WordPress, affecting all versions through 1.8.0. The issue arises in the 'authenticate()' function, which improperly sanitizes the 'PHP_SELF' superglobal before storing it in a WordPress option. This unsanitized data is later output directly into the admin dashboard, creating an opportunity for unauthenticated attackers to inject malicious scripts. These scripts can execute when an administrator with a whitelisted IP address visits the dashboard within 30 seconds of the injection.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the admin dashboard.

Reproduction

To reproduce this vulnerability, log into a WordPress site with the vulnerable plugin version installed. Attempt to authenticate through a non-standard login page, such as 'xmlrpc.php', without the proper reCAPTCHA verification. This will trigger the 'authenticate()' function to store the unsanitized 'PHP_SELF' value. Once the value is stored, an injected script will execute when an administrator with a whitelisted IP address visits the dashboard within 30 seconds.

Remediation

Users are advised to update the Login No Captcha reCAPTCHA plugin to version 1.8.1 or later.