A cross-site scripting vulnerability affects reCaptcha by WebDesignBy. This WordPress plugin adds Google reCAPTCHA to your forms. CVE-2026-4512 has a CVSS score of 3.5 (Low severity). The flaw involves reflected XSS through improper input handling.
CVE-2026-4512: About the Plugin
reCaptcha by WebDesignBy integrates Google reCAPTCHA protection. It adds verification boxes to contact forms. Site owners use it to block spam submissions. The plugin helps protect form integrity on WordPress sites.
CVE-2026-4512: The Vulnerability in Detail
CVE-2026-4512 is a reflected XSS vulnerability. The plugin fails to escape output in certain parameters. Attackers can craft a malicious URL with injected JavaScript. The script executes when a user clicks the link.
The issue requires user interaction to succeed. The victim must click a specially crafted link. This lowers the severity compared to stored XSS flaws. But the attack still poses a risk to unsuspecting users.
Severity Assessment
The CVSS 3.5 score places this in the Low severity range. The attack has high complexity and requires user action. The scope is limited compared to other XSS types. However, any XSS can lead to session hijacking or data theft.
Reflected XSS attacks often come through phishing emails. Attackers send links that look legitimate. They trick users into visiting the malicious URL. The exploit runs in the context of the victim’s browser session.
Affected Versions
CVE-2026-4512 affects reCaptcha by WebDesignBy version 1.7 and earlier. The plugin developers released a fix in version 1.8. They added proper output escaping to the vulnerable parameters. Update to the latest version to eliminate the risk.
Protection Measures
Update the plugin to version 1.8 or newer immediately. Educate your users about phishing risks. Tell them not to click suspicious links. Use a web application firewall to filter XSS payloads.
Enable Content Security Policy headers on your site. CSP can block many XSS attacks at the browser level. This adds defense beyond plugin updates.
Final Thoughts
CVE-2026-4512 has a low CVSS score but still needs attention. Reflected XSS can cause real damage in the right circumstances. Update reCaptcha by WebDesignBy to version 1.8 or higher. Layered security is the best approach to stay safe.
TrustIWP recommends patching all vulnerabilities regardless of severity. Low-risk flaws can chain with other issues. Stay proactive about WordPress security today.
The reCaptcha by WebDesignBy plugin is available at https://wordpress.org/plugins/search/recaptcha/.
reCaptcha by WebDesignBy is a WordPress plugin that adds Google reCAPTCHA to your forms. It protects login forms, registration forms, and comment forms from spam bots. Site owners install it to reduce spam without frustrating users with complex CAPTCHAs.
The plugin integrates with the WordPress login system, which makes it a security-conscious choice. A reflected XSS vulnerability in this context is problematic because login pages are high-traffic targets.
Reflected XSS Details
CVE-2026-4512 is a reflected Cross-Site Scripting vulnerability. The plugin reflects user input from certain URL parameters without proper sanitization or output encoding. An attacker can craft a malicious link that, when clicked, executes JavaScript in the user’s browser.
The CVSS score is 3.5 (Low) because the attack requires user interaction. However, reflected XSS on a login page can still steal session cookies or redirect users to phishing pages. The attacker sends a link via email or social media, and users who click it while logged into WordPress are vulnerable.