WP reCaptcha by WebDesignBy WordPress Prior to 2.0 - Admin+ Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WP reCaptcha by WebDesignBy WordPress plugin, affecting versions prior to 2.0. The issue arises because the plugin fails to properly sanitize or escape the Site Key setting before it is output in a JavaScript string context through the grecaptcha_js() function. This flaw enables administrators on multisite installations, who lack the unfiltered_html capability, to inject arbitrary JavaScript that executes for all visitors on the WordPress login page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user visiting the WordPress login page.

Reproduction

To reproduce this vulnerability, install WP reCaptcha by WebDesignBy version 1.7 on a multisite WordPress installation. Log in as a site administrator and navigate to Settings > reCaptcha. In the Site Key field, enter a payload that includes a script closure followed by an SVG element with an 'onload' event, such as an alert command. Save the settings, and the injected script will execute for all visitors on the login page.

Remediation

Users are advised to update the WP reCaptcha by WebDesignBy WordPress plugin to version 2.0 or later.