CVE CyberSecurity Database News

CVE-2025-23840 - Reflected XSS in WP-NOTCAPTCHA Plugin Explained With Code & Exploit Details

Poster -

WordPress is the most popular website platform around, which means its plugins are a juicy target for hackers. A recently disclosed vulnerability—CVE-2025-23840—affects the WP-NOTCAPTCHA plugin, making it possible for attackers to execute reflected Cross-site Scripting (XSS) on any site running this plugin. In this guide, you'll get a clear run-down of what this bug is, how the exploit works, and what you should do about it.

What Is CVE-2025-23840?

- Vulnerability Name: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Vulnerability Type: Reflected XSS

Reflected XSS means that untrusted input (for example, something you type into a URL) is not properly filtered and gets sent right back in the webpage. Attackers can use this to make a site run JavaScript commands in the browser of whoever clicks their crafted link.

Explaining the Bug—In Simple Terms

The plugin WP-NOTCAPTCHA adds a Google reCAPTCHA to your WordPress forms. Unfortunately, its code fails to safely clean up parameters from visitor requests before displaying them on the page.

If you send it a carefully crafted URL containing JavaScript, your browser will actually run that code—the classic recipe for a reflected XSS.

Example: The Vulnerable Code

The specific problem is that user input from query parameters gets printed into the page HTML, without escaping.

A simplified version of the vulnerable code might look like this

<?php
// Pseudo code: insecure echoing of $_GET parameters
if (isset($_GET['notcaptcha_error'])) {
    echo "<div class='error-message'>" . $_GET['notcaptcha_error'] . "</div>";
}
?>

Here, whatever you include in the notcaptcha_error URL parameter is posted to the page *as-is*.

Anyone can prepare a URL like this

https://victim-wordpress-site.com/wp-login.php?notcaptcha_error=<script>alert('XSS')</script>;

This URL injects JavaScript that instantly pops up an alert().

When any logged-in user (including the admin!) clicks the link, the malicious script runs in their browser while they’re logged in.

In a real attack: Hackers could swap the alert for their own JavaScript, like stealing cookies, loading phishing forms, or hijacking sessions.

A barebones demonstration exploit

URL:
https://yoursite.com/wp-login.php?notcaptcha_error=<script>alert(document.cookie)</script>;

Visiting this shows all your cookie info in a JavaScript popup—which an attacker could instead send to a remote server.

Fix Status

As of June 2024, WP-NOTCAPTCHA version 1.3.1 and below are vulnerable. Later versions may have a patch—make sure you're running the absolute latest release. If you're stuck on an old version, consider switching plugins or disabling WP-NOTCAPTCHA until you can upgrade.

Update the WP-NOTCAPTCHA plugin to the latest version ASAP.

- Deploy a Web Application Firewall (WAF) like Wordfence or Sucuri.

References

- CVE-2025-23840 on NVD (official)
- WP-NOTCAPTCHA on WordPress.org
- OWASP XSS Explanation

Final Advice

If you use WP-NOTCAPTCHA, this bug is your top priority. Not acting gives hackers a free pass to your users and even your admin account. Patch this one before your site ends up part of an XSS campaign!

Timeline

Published on: 02/17/2025 12:15:27 UTC