[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fg6Yr5VQt9A7eON4nD2QlpevHEh4iX-iX84SlReG9MuA":3,"$f9oAs9NY1NfVO6zVGPiOvC7R7WH6W47nQXU5U-I6ZiFM":269,"$f7ZeiOTM9ZluBZXlOPzbbn7yDmcyU8mSelyqnOjCQ5Dw":274},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":23,"download_link":24,"security_score":25,"vuln_count":14,"unpatched_count":14,"last_vuln_date":26,"fetched_at":27,"discovery_status":28,"vulnerabilities":29,"developer":47,"crawl_stats":35,"alternatives":51,"analysis":150,"fingerprints":245},"recaptcha-wp","Recaptcha – wp","0.2.6","rozx","https:\u002F\u002Fprofiles.wordpress.org\u002Frozx\u002F","\u003Cp>Protect your WordPress site from spam machines by enable google recaptcha.\u003C\u002Fp>\n\u003Cp>Simple and lightweight to install.\u003C\u002Fp>\n\u003Cp>Free and fast.\u003C\u002Fp>\n","Protect your WordPress site from spam machines by using google recaptcha. Note the setting is under Settings -> Discussion menu.",40,3910,100,1,"2016-09-12T15:13:00.000Z","4.6.30","3.0.1","",[20,21,22],"comments","recaptcha","spam","http:\u002F\u002Fwww.heavyskymobile.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frecaptcha-wp.zip",63,"2025-09-26 00:00:00","2026-04-16T10:56:18.058Z","no_bundle",[30],{"id":31,"url_slug":32,"title":33,"description":34,"plugin_slug":4,"theme_slug":35,"affected_versions":36,"patched_in_version":35,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":26,"updated_date":41,"references":42,"days_to_patch":35,"patch_diff_files":44,"patch_trac_url":35,"research_status":35,"research_verified":45,"research_rounds_completed":46,"research_plan":35,"research_summary":35,"research_vulnerable_code":35,"research_fix_diff":35,"research_exploit_outline":35,"research_model_used":35,"research_started_at":35,"research_completed_at":35,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":45,"poc_model_used":35,"poc_verification_depth":35},"CVE-2025-60177","recaptcha-wp-authenticated-administrator-stored-cross-site-scripting","Recaptcha – wp \u003C= 0.2.6 - Authenticated (Administrator+) Stored Cross-Site Scripting","The Recaptcha – wp plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 0.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.",null,"\u003C=0.2.6","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-09-30 13:15:29",[43],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffdf102bb-66ed-4c4d-b9b0-906f58ec9253?source=api-prod",[],false,0,{"slug":7,"display_name":7,"profile_url":8,"plugin_count":14,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":48,"trust_score":49,"computed_at":50},30,68,"2026-05-20T01:26:04.101Z",[52,77,100,118,135],{"slug":53,"name":54,"version":55,"author":56,"author_profile":57,"description":58,"short_description":59,"active_installs":60,"downloaded":61,"rating":62,"num_ratings":63,"last_updated":64,"tested_up_to":65,"requires_at_least":66,"requires_php":67,"tags":68,"homepage":18,"download_link":73,"security_score":74,"vuln_count":75,"unpatched_count":46,"last_vuln_date":76,"fetched_at":27},"captcha-code-authentication","Captcha Code","3.31","WebFactory","https:\u002F\u002Fprofiles.wordpress.org\u002Fwebfactory\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fgetwpcaptcha.com\u002F\" rel=\"nofollow ugc\">Captcha\u003C\u002Fa> adds GDPR compatible captcha code anti-spam protection (like Google ReCaptcha) to WordPress forms – comments form, registration form, lost password form, and login form. In order to post comments or register, users have to type in the code shown on the image. This prevents spam from automated bots & adds security. No external services (like Google ReCaptcha) are used. No API keys are needed, and no user-identifiable data is used so it’s GDPR compatible.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Captcha position – comments form, login form, registration form, or lost password form.\u003C\u002Fli>\n\u003Cli>Letters type – capital letters, small letters, or captial & small letters.\u003C\u002Fli>\n\u003Cli>Captcha type – alphanumeric, alphabets or numbers.\u003C\u002Fli>\n\u003Cli>Translation enabled.\u003C\u002Fli>\n\u003C\u002Fol>\n","GDPR compatible captcha anti-spam protection for login form, comments form, registration form & lost password form. Eliminate spam with captcha.",100000,708754,76,34,"2026-04-14T19:46:00.000Z","7.0","3.0","5.2",[69,70,71,72,21],"captcha","comments-spam","form-captcha","login-captcha","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcaptcha-code-authentication.3.31.zip",99,2,"2023-11-24 00:00:00",{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":85,"downloaded":86,"rating":87,"num_ratings":88,"last_updated":89,"tested_up_to":90,"requires_at_least":91,"requires_php":18,"tags":92,"homepage":97,"download_link":98,"security_score":99,"vuln_count":46,"unpatched_count":46,"last_vuln_date":35,"fetched_at":27},"recaptcha-in-wp-comments-form","reCAPTCHA in WP comments form","9.1.2","jmviade","https:\u002F\u002Fprofiles.wordpress.org\u002Fjmviade\u002F","\u003Cp>reCAPTCHA in WP comments form plugin is an \u003Cstrong>ANTISPAM tool\u003C\u002Fstrong> that adds the visible Google \u003Cstrong>reCAPTCHA field\u003C\u002Fstrong> inside the comments form of your WP theme when the user is not logged in preventing fraudulent or deceptive comments.\u003C\u002Fp>\n\u003Cp>The plugin also \u003Cstrong>introduces a second verification process\u003C\u002Fstrong> that detects the unauthorized direct accesses by spam robots to the WP comments system and allows you to decide what do you want to do with those comments.\u003C\u002Fp>\n\u003Cp>Finally, the plugin has got an optional \u003Cstrong>forced javascript output mode\u003C\u002Fstrong> that lets you to add a reCAPTCHA field \u003Cstrong>also in old WP themes\u003C\u002Fstrong> that didn’t use the new WP form comments functions but they make a direct output of its own comments form.\u003C\u002Fp>\n\u003Ch4>FEATURES LIST\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Basic Features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>All variants\u003C\u002Fstrong> of Google reCAPTCHA field are available\u003C\u002Fli>\n\u003Cli>Two simple steps \u003Cstrong>Installation Wizard\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Automatic \u003Cstrong>default configuration settings\u003C\u002Fstrong> for all plugin components\u003C\u002Fli>\n\u003Cli>Automatic default configuration for reCAPTCHA field\u003C\u002Fli>\n\u003Cli>Configuration settings for Plugin \u003C\u002Fli>\n\u003Cli>Configuration settings for \u003Cstrong>ANTISPAM operation\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Four modes of operation in case of spam robots threats (SPAM, TRASH, DELETE or DIE)\u003C\u002Fli>\n\u003Cli>Visual configuration settings for Google reCAPTCHA: theme, size, type, align, language\u003C\u002Fli>\n\u003Cli>Dynamic comments form sample for viewing configuration settings changes\u003C\u002Fli>\n\u003Cli>Visual Help\u003C\u002Fli>\n\u003Cli>RTL Language support\u003C\u002Fli>\n\u003Cli>Admin Color scheme adapted\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Middle features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Forced language option for reCAPTCHA field\u003C\u002Fli>\n\u003Cli>Plugin \u003Cstrong>blocks the submit button\u003C\u002Fstrong> while reCAPTCHA field is not verified\u003C\u002Fli>\n\u003Cli>Plugin \u003Cstrong>changes HTML structure of the comments form\u003C\u002Fstrong> to prevent malicious automatic sendings while reCAPTCHA field is not verified\u003C\u002Fli>\n\u003Cli>Plugin also blocks \u003Cstrong>other elements with \u003Ccode>[type=submit]\u003C\u002Fcode> inside form\u003C\u002Fstrong> in case of a theme customized comments form\u003C\u002Fli>\n\u003Cli>Plugin lets you to write your own \u003Cstrong>additional CSS for the reCAPTCHA field\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>New \u003Cstrong>restore default value buttons\u003C\u002Fstrong> in plugin configuration section for helping you in case of changing WP theme, accidental errors, test environtments, etc.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Advanced features\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>reCAPTCHA \u003Cstrong>verification process via AJAX before submitting the form\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Second security checking process\u003C\u002Fstrong> for preventing any security breach \u003Cstrong>before saving the comment\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Supporting \u003Cstrong>four different WP comments form HTML structure types\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>Advanced plugin options \u003Cstrong>based on HTML queries\u003C\u002Fstrong> for inserting the reCAPTCHA plugin in all kinds of WP themes\u003C\u002Fli>\n\u003Cli>Optional \u003Cstrong>Forced javascript output\u003C\u002Fstrong> that allows you to use the plugin with old WP themes that didn’t use function \u003Ccode>comment_form()\u003C\u002Fcode>\u003C\u002Fli>\n\u003Cli>Advanced ID’s tags settings for using this plugin with WP Themes that creates its own comments form HTML struct\u003C\u002Fli>\n\u003Cli>reCAPTCHA javascript initialization that prevents reCAPTCHA conflicts in case of that other plugins use reCAPTCHA.\u003C\u002Fli>\n\u003Cli>New mínimum CSS styles for recaptcha alignment\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>PLUGIN PAGE\u003C\u002Fh4>\n\u003Cp>To learn more about the plugin, visit the \u003Ca href=\"http:\u002F\u002Fwww.joanmiquelviade.com\u002Fplugin\u002Fgoogle-recaptcha-in-wp-comments-form\u002F\" title=\"Author's plugin page\" rel=\"nofollow ugc\">Plugin page\u003C\u002Fa>.\u003C\u002Fp>\n","reCAPTCHA in WP comments form is an ANTISPAM tool that adds a Google reCAPTCHA to the comments form and protects your site from the spam robots threat &hellip;",8000,72956,82,20,"2019-04-22T12:10:00.000Z","5.1.22","4.0.0",[93,94,95,96,21],"antispam","antispam-protection","comments-antispam","comments-recaptcha","http:\u002F\u002Fwww.joanmiquelviade.com\u002Fplugin\u002Fgoogle-recaptcha-in-wp-comments-form\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frecaptcha-in-wp-comments-form.9.1.2.zip",85,{"slug":101,"name":102,"version":103,"author":104,"author_profile":105,"description":106,"short_description":107,"active_installs":108,"downloaded":109,"rating":13,"num_ratings":14,"last_updated":110,"tested_up_to":111,"requires_at_least":112,"requires_php":65,"tags":113,"homepage":116,"download_link":117,"security_score":99,"vuln_count":46,"unpatched_count":46,"last_vuln_date":35,"fetched_at":27},"toms-recaptcha","TomS reCAPTCHA","1.2.0","TomS Caprice","https:\u002F\u002Fprofiles.wordpress.org\u002Ftomsneddon\u002F","\u003Cp>Integrated Google ReCaptcha for WordPress. Protect the login, register, lostpassword and comment forms. Support Woocommerce, Ultimate Member and more popular forms.\u003Cbr \u002F>\n\u003Ca href=\"https:\u002F\u002Fdevelopers.google.com\u002Frecaptcha\" rel=\"nofollow ugc\">\u003Cstrong>Google reCAPTCHA\u003C\u002Fstrong>\u003C\u002Fa> is a free service that protects your site from spam and abuse. It uses advanced risk analysis techniques to tell humans and bots apart.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Go to \u003Ca href=\"https:\u002F\u002Fwww.google.com\u002Frecaptcha\u002Fadmin\u002Fcreate\" rel=\"nofollow ugc\">Google reCAPTCHA\u003C\u002Fa> to get the \u003Cstrong>Site key\u003C\u002Fstrong> and \u003Cstrong>Secret key\u003C\u002Fstrong>.\u003C\u002Fp>\n\u003Ch4>reCAPTCHA Type:\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>reCAPTCHA \u003Cstrong>v3\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>reCAPTCHA \u003Cstrong>v2 Checkbox\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>reCAPTCHA \u003Cstrong>v2 Invisible\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Supported Form List\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress default login form\u003C\u002Fli>\n\u003Cli>WordPress default register form\u003C\u002Fli>\n\u003Cli>WordPress default lostpassword form\u003C\u002Fli>\n\u003Cli>\n\u003Cp>WordPress default comment form\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwoocommerce\u002F\" rel=\"ugc\">\u003Cstrong>Woocommerce\u003C\u002Fstrong>\u003C\u002Fa> login form\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwoocommerce\u002F\" rel=\"ugc\">\u003Cstrong>Woocommerce\u003C\u002Fstrong>\u003C\u002Fa> register form\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwoocommerce\u002F\" rel=\"ugc\">\u003Cstrong>Woocommerce\u003C\u002Fstrong>\u003C\u002Fa> lostpassword form\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwoocommerce\u002F\" rel=\"ugc\">\u003Cstrong>Woocommerce\u003C\u002Fstrong>\u003C\u002Fa> checkout Billing form\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Add a shortcode \u003Cstrong>[toms_woo_register_form]\u003C\u002Fstrong> for \u003Cstrong>woocommerce register form\u003C\u002Fstrong> on any page you want.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fultimate-member\u002F\" rel=\"ugc\">\u003Cstrong>Ultimate Member\u003C\u002Fstrong>\u003C\u002Fa> login form\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fultimate-member\u002F\" rel=\"ugc\">\u003Cstrong>Ultimate Member\u003C\u002Fstrong>\u003C\u002Fa> register form\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fultimate-member\u002F\" rel=\"ugc\">\u003Cstrong>Ultimate Member\u003C\u002Fstrong>\u003C\u002Fa> lostpassword form\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fcontact-form-block\u002F\" rel=\"ugc\">\u003Cstrong>Contact Form Block\u003C\u002Fstrong>\u003C\u002Fa> Contact Form Block\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>more support forms comming soon…\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Option settings\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Verify API : \u003Cstrong>Google.com\u003C\u002Fstrong>\u002F\u003Cstrong>Recaptcha.net\u003C\u002Fstrong> \u003Cstrong>—Notice:—\u003C\u002Fstrong> Some country can not use Google verify API, that means Google verify API will not work, even using vpn. If google.com not work try use Recaptcha.net\u003C\u002Fli>\n\u003Cli>reCAPTCHA v2 (Checkbox)  Theme: \u003Cstrong>Light\u003C\u002Fstrong>\u002F\u003Cstrong>Dark\u003C\u002Fstrong>\u003C\u002Fli>\n\u003Cli>reCAPTCHA v2 (Invisible) Badge: \u003Cstrong>Bottom Right\u003C\u002Fstrong>\u002F\u003Cstrong>Bottom Left\u003C\u002Fstrong>\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Custom reCAPTCHA Language\u003C\u002Fh4>\n\u003Ch4>Translation ready\u003C\u002Fh4>\n\u003Ch3>Translations\u003C\u002Fh3>\n\u003Cp>Reliance upon any non-English translation is at your own risk; TomS reCAPTCHA can give no guarantees that translations from the original English are accurate.\u003C\u002Fp>\n\u003Cp>We recognise and thank those mentioned at https:\u002F\u002Ftoms-caprice.org\u002Ftranslations for code and\u002For libraries used and\u002For modified under the terms of their open source licences.\u003C\u002Fp>\n","Integrated Google ReCaptcha for WordPress.Protect the login, register, lostpassword and comment forms. Support Woocommerce, Ultimate Member and more p &hellip;",600,16788,"2023-03-29T08:59:00.000Z","6.2.9","5.8",[114,69,115,21,101],"block-spam-comments","nocaptcha","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Ftoms-recaptcha","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftoms-recaptcha.1.2.0.zip",{"slug":119,"name":120,"version":121,"author":122,"author_profile":123,"description":124,"short_description":125,"active_installs":126,"downloaded":127,"rating":13,"num_ratings":128,"last_updated":129,"tested_up_to":130,"requires_at_least":17,"requires_php":18,"tags":131,"homepage":18,"download_link":133,"security_score":99,"vuln_count":46,"unpatched_count":46,"last_vuln_date":35,"fetched_at":134},"hercules-recaptcha","Hercules Recaptcha","1.1","Todd Nestor","https:\u002F\u002Fprofiles.wordpress.org\u002Ftoddnestor\u002F","\u003Cp>Hercules Recaptcha uses the latest Google Recaptcha API to more accurately determine if users are bots or not.\u003Cbr \u002F>\nIf the user is not logged in it will display a Recaptcha for the user to fill out in the comment form.  If the user\u003Cbr \u002F>\ndisables javascript and is not logged in then comments will fail to submit.\u003C\u002Fp>\n\u003Cp>The Recaptcha is also added to the registration page for both multisite setups and single blogs.  There are options for\u003Cbr \u002F>\nhaving it show up on comments and\u002For the registration page, as well as options for its position on the comment form, and\u003Cbr \u002F>\nwhich style (Google gives only two options, dark or light).\u003C\u002Fp>\n","Hercules Recaptcha adds a Recaptcha to the comment form for non-logged in users.  It uses the latest Recaptcha API.",10,1771,5,"2015-01-19T02:03:00.000Z","4.0.38",[69,20,132,21,22],"hercules","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhercules-recaptcha.1.1.zip","2026-04-06T09:54:40.288Z",{"slug":136,"name":137,"version":138,"author":139,"author_profile":140,"description":141,"short_description":142,"active_installs":46,"downloaded":143,"rating":46,"num_ratings":46,"last_updated":144,"tested_up_to":145,"requires_at_least":91,"requires_php":146,"tags":147,"homepage":18,"download_link":149,"security_score":99,"vuln_count":46,"unpatched_count":46,"last_vuln_date":35,"fetched_at":27},"captcha-for-comments-form","Comments Form Captcha","1.0","Milankumar Kyada","https:\u002F\u002Fprofiles.wordpress.org\u002Fmilankyada\u002F","\u003Cp>This is a very basic plugin but work efficiently. Any suggestions are welcomed and I assure users that I will make\u003Cbr \u002F>\nchanges if it’s in favor of the plugin. This plugin is using google recaptcha and reason for making this plugin is the\u003Cbr \u002F>\nsame as others, I was facing spam comments too.\u003C\u002Fp>\n","This is a very basic plugin but work efficiently. Any suggestions are welcomed and I assure users that I will make",1048,"2020-01-24T21:03:00.000Z","5.3.21","5.2.4",[69,20,148,22],"googlerecaptcha","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcaptcha-for-comments-form.zip",{"attackSurface":151,"codeSignals":183,"taintFlows":203,"riskAssessment":229,"analyzedAt":244},{"hooks":152,"ajaxHandlers":179,"restRoutes":180,"shortcodes":181,"cronEvents":182,"entryPointCount":46,"unprotectedCount":46},[153,159,162,166,171,175,177],{"type":154,"name":155,"callback":156,"file":157,"line":158},"action","admin_init","wp_recaptcha_admin_init","recaptcha-wp.php",12,{"type":154,"name":160,"callback":161,"file":157,"line":11},"init","wp_recaptcha_init",{"type":154,"name":163,"callback":164,"file":157,"line":165},"wp_head","wp_recaptcha_head",44,{"type":167,"name":168,"callback":169,"file":157,"line":170},"filter","comment_form_field_comment","wp_recaptcha_config",53,{"type":167,"name":172,"callback":173,"file":157,"line":174},"preprocess_comment","wp_recaptcha_process",57,{"type":167,"name":168,"callback":169,"file":157,"line":176},61,{"type":167,"name":172,"callback":173,"file":157,"line":178},65,[],[],[],[],{"dangerousFunctions":184,"sqlUsage":185,"outputEscaping":187,"fileOperations":14,"externalRequests":46,"nonceChecks":46,"capabilityChecks":46,"bundledLibraries":202},[],{"prepared":46,"raw":46,"locations":186},[],{"escaped":46,"rawEcho":188,"locations":189},6,[190,192,194,196,198,200],{"file":157,"line":48,"context":191},"raw output",{"file":157,"line":193,"context":191},31,{"file":157,"line":195,"context":191},32,{"file":157,"line":197,"context":191},33,{"file":157,"line":199,"context":191},79,{"file":157,"line":201,"context":191},95,[],[204,221],{"entryPoint":205,"graph":206,"unsanitizedCount":14,"severity":37},"wp_recaptcha_getresult (recaptcha-wp.php:142)",{"nodes":207,"edges":219},[208,213],{"id":209,"type":210,"label":211,"file":157,"line":212},"n0","source","$_POST",146,{"id":214,"type":215,"label":216,"file":157,"line":217,"wp_function":218},"n1","sink","file_get_contents() [SSRF\u002FLFI]",147,"file_get_contents",[220],{"from":209,"to":214,"sanitized":45},{"entryPoint":222,"graph":223,"unsanitizedCount":14,"severity":37},"\u003Crecaptcha-wp> (recaptcha-wp.php:0)",{"nodes":224,"edges":227},[225,226],{"id":209,"type":210,"label":211,"file":157,"line":212},{"id":214,"type":215,"label":216,"file":157,"line":217,"wp_function":218},[228],{"from":209,"to":214,"sanitized":45},{"summary":230,"deductions":231},"The recaptcha-wp plugin, in version 0.2.6, exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by avoiding dangerous functions, using prepared statements for all SQL queries, and having a zero-attack surface in terms of AJAX, REST API, shortcodes, and cron events. There are also no external HTTP requests, reducing potential network-level risks.\n\nHowever, significant concerns arise from the lack of output escaping for all identified outputs. This indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, where malicious scripts could be injected and executed within the user's browser. The presence of unsanitized paths in taint analysis, even without critical or high severity, is also a worry, suggesting potential for path traversal or other file system-related issues.\n\nFurthermore, the vulnerability history reveals a past medium-severity XSS vulnerability that is currently unpatched. This pattern of past vulnerabilities, particularly XSS, coupled with the current lack of output escaping, suggests a recurring issue with secure output handling within the plugin. While the plugin has strengths in its minimal attack surface and database security, the unaddressed XSS risk and the potential for unsanitized path flows necessitate caution.",[232,235,238,240,242],{"reason":233,"points":234},"Unpatched CVE (medium severity XSS)",18,{"reason":236,"points":237},"0% output escaping",8,{"reason":239,"points":128},"Unsanitized paths in taint flows",{"reason":241,"points":128},"No nonce checks",{"reason":243,"points":128},"No capability checks","2026-03-16T22:17:00.224Z",{"wat":246,"direct":253},{"assetPaths":247,"generatorPatterns":249,"scriptPaths":250,"versionParams":252},[248],"\u002Fwp-content\u002Fplugins\u002Frecaptcha-wp\u002Frecaptcha-wp.php",[],[251],"https:\u002F\u002Fwww.google.com\u002Frecaptcha\u002Fapi.js?onload=onloadCallback&render=explicit",[],{"cssClasses":254,"htmlComments":256,"htmlAttributes":262,"restEndpoints":264,"jsGlobals":265,"shortcodeOutput":268},[255],"g-recaptcha",[257,258,259,260,261],"\u003C!-- \n    if( get_option( 'wp_recaptcha_register' )){","        add_action( 'register_form', 'wp_recaptcha_register_form' );","       ","    }","    -->",[263],"data-sitekey",[],[266,267],"onloadCallback","grecaptcha",[],{"error":270,"url":271,"statusCode":272,"statusMessage":273,"message":273},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Frecaptcha-wp\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":275,"versions":276},4,[277,285,293,301],{"version":278,"download_url":279,"svn_tag_url":280,"released_at":35,"has_diff":45,"diff_files_changed":281,"diff_lines":35,"trac_diff_url":282,"vulnerabilities":283,"is_current":45},"0.23","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frecaptcha-wp.0.23.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Frecaptcha-wp\u002Ftags\u002F0.23\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Frecaptcha-wp%2Ftags%2F0.22&new_path=%2Frecaptcha-wp%2Ftags%2F0.23",[284],{"id":31,"url_slug":32,"title":33,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"version":286,"download_url":287,"svn_tag_url":288,"released_at":35,"has_diff":45,"diff_files_changed":289,"diff_lines":35,"trac_diff_url":290,"vulnerabilities":291,"is_current":45},"0.22","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frecaptcha-wp.0.22.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Frecaptcha-wp\u002Ftags\u002F0.22\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Frecaptcha-wp%2Ftags%2F0.21&new_path=%2Frecaptcha-wp%2Ftags%2F0.22",[292],{"id":31,"url_slug":32,"title":33,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"version":294,"download_url":295,"svn_tag_url":296,"released_at":35,"has_diff":45,"diff_files_changed":297,"diff_lines":35,"trac_diff_url":298,"vulnerabilities":299,"is_current":45},"0.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frecaptcha-wp.0.21.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Frecaptcha-wp\u002Ftags\u002F0.21\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Frecaptcha-wp%2Ftags%2F0.2&new_path=%2Frecaptcha-wp%2Ftags%2F0.21",[300],{"id":31,"url_slug":32,"title":33,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"version":302,"download_url":303,"svn_tag_url":304,"released_at":35,"has_diff":45,"diff_files_changed":305,"diff_lines":35,"trac_diff_url":35,"vulnerabilities":306,"is_current":45},"0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frecaptcha-wp.0.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Frecaptcha-wp\u002Ftags\u002F0.2\u002F",[],[307],{"id":31,"url_slug":32,"title":33,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35}]