CVE-2025-46541 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the WordPress plugin WP-reCAPTCHA-bp developed by elrata_. This vulnerability arises due to improper neutralization of input during web page generation, allowing malicious scripts to be stored and subsequently executed in the context of users visiting the affected web pages. Specifically, the plugin fails to adequately sanitize or encode user-supplied input before embedding it into web pages, enabling attackers to inject arbitrary JavaScript code. When a victim accesses the compromised page, the malicious script executes within their browser, potentially leading to session hijacking, credential theft, defacement, or distribution of malware. The vulnerability affects all versions of WP-reCAPTCHA-bp up to and including version 4.1. No patches or fixes have been released at the time of this report, and there are no known exploits in the wild. The vulnerability was publicly disclosed on April 24, 2025, and has been enriched by CISA, indicating recognition by cybersecurity authorities. WP-reCAPTCHA-bp is a plugin used to integrate CAPTCHA functionality into WordPress sites, often to prevent automated abuse such as spam or brute-force attacks. Stored XSS vulnerabilities in such plugins are particularly dangerous because they can affect any user visiting the site, including administrators, increasing the risk of privilege escalation or site takeover.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites with WP-reCAPTCHA-bp installed. Stored XSS can compromise the confidentiality and integrity of user data by enabling attackers to steal session cookies, credentials, or inject malicious payloads that alter site content or behavior. This can lead to unauthorized access, data breaches involving personal or sensitive information protected under GDPR, reputational damage, and potential regulatory penalties. Additionally, attackers could leverage the vulnerability to distribute malware or conduct phishing campaigns targeting site visitors. The availability of the affected sites could also be indirectly impacted if attackers deface the website or cause operational disruptions. Given the widespread use of WordPress across European businesses, including SMEs and public sector entities, the vulnerability poses a broad risk. However, the absence of known active exploitation reduces immediate urgency but does not eliminate the threat, as stored XSS vulnerabilities are commonly targeted once disclosed. Organizations with high-traffic websites or those handling sensitive user data are at elevated risk.

1. Immediate mitigation should include disabling or uninstalling the WP-reCAPTCHA-bp plugin until a security patch is released. 2. Implement Web Application Firewall (WAF) rules specifically designed to detect and block XSS payloads targeting the affected plugin’s input vectors. 3. Conduct a thorough audit of all user-generated content fields processed by WP-reCAPTCHA-bp to identify and remove any malicious scripts that may have been injected prior to mitigation. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website, reducing the impact of potential XSS attacks. 5. Monitor website logs and user reports for suspicious activity indicative of exploitation attempts. 6. Once a patch is available, promptly update the plugin and verify the fix through security testing. 7. Educate site administrators and developers on secure coding practices and the importance of input validation and output encoding to prevent similar vulnerabilities. 8. Consider alternative CAPTCHA solutions with a strong security track record if the plugin remains unpatched for an extended period.