WordPress is the most popular website platform around, which means its plugins are a juicy target for hackers. A recently disclosed vulnerability—CVE-2025-23840—affects the WP-NOTCAPTCHA plugin, making it possible for attackers to execute reflected Cross-site Scripting (XSS) on any site running this plugin. In this guide, you'll get a clear run-down of what this bug is, how the exploit works, and what you should do about it.
What Is CVE-2025-23840?
- Vulnerability Name: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Vulnerability Type: Reflected XSS
Reflected XSS means that untrusted input (for example, something you type into a URL) is not properly filtered and gets sent right back in the webpage. Attackers can use this to make a site run JavaScript commands in the browser of whoever clicks their crafted link.
Explaining the Bug—In Simple Terms
The plugin WP-NOTCAPTCHA adds a Google reCAPTCHA to your WordPress forms. Unfortunately, its code fails to safely clean up parameters from visitor requests before displaying them on the page.
If you send it a carefully crafted URL containing JavaScript, your browser will actually run that code—the classic recipe for a reflected XSS.
Example: The Vulnerable Code
The specific problem is that user input from query parameters gets printed into the page HTML, without escaping.
A simplified version of the vulnerable code might look like this
<?php
// Pseudo code: insecure echoing of $_GET parameters
if (isset($_GET['notcaptcha_error'])) {
echo "<div class='error-message'>" . $_GET['notcaptcha_error'] . "</div>";
}
?>
Here, whatever you include in the notcaptcha_error URL parameter is posted to the page *as-is*.
Anyone can prepare a URL like this
https://victim-wordpress-site.com/wp-login.php?notcaptcha_error=<script>alert('XSS')</script>;
This URL injects JavaScript that instantly pops up an alert().
2. Victim Clicks Link
When any logged-in user (including the admin!) clicks the link, the malicious script runs in their browser while they’re logged in.
In a real attack: Hackers could swap the alert for their own JavaScript, like stealing cookies, loading phishing forms, or hijacking sessions.
A barebones demonstration exploit
URL:
https://yoursite.com/wp-login.php?notcaptcha_error=<script>alert(document.cookie)</script>;
Visiting this shows all your cookie info in a JavaScript popup—which an attacker could instead send to a remote server.
Fix Status
As of June 2024, WP-NOTCAPTCHA version 1.3.1 and below are vulnerable. Later versions may have a patch—make sure you're running the absolute latest release. If you're stuck on an old version, consider switching plugins or disabling WP-NOTCAPTCHA until you can upgrade.
Update the WP-NOTCAPTCHA plugin to the latest version ASAP.
- Deploy a Web Application Firewall (WAF) like Wordfence or Sucuri.
References
- CVE-2025-23840 on NVD (official)
- WP-NOTCAPTCHA on WordPress.org
- OWASP XSS Explanation
Final Advice
If you use WP-NOTCAPTCHA, this bug is your top priority. Not acting gives hackers a free pass to your users and even your admin account. Patch this one before your site ends up part of an XSS campaign!
Timeline
Published on: 02/17/2025 12:15:27 UTC