A vulnerability has been identified in the WordPress reCAPTCHA plugin, which protects WordPress website forms from spam/robot logins, that could allow threat actors to perform XSS (Cross-Site Scripting) attacks on affected installations.
The security vulnerability with code CVE-2022-3831 affects the “unfiltered_html” component and is caused by insufficient cleaning of user-supplied data. Exploiting the vulnerability requires administrative privileges.
The vulnerability, assessed as medium critical, affects all versions of WordPress reCAPTCHA 1.6 and earlier. The plugin has been removed from the WordPress market since November 2, 2022, and no current version fixes the vulnerability. In this context, it is recommended that users using the plugin in WordPress installations immediately disable or remove it to avoid being affected by the vulnerability.