{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2482", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-17T22:47:55.832Z", "datePublished": "2025-03-22T06:41:11.639Z", "dateUpdated": "2026-04-08T16:59:42.385Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:42.385Z"}, "affected": [{"vendor": "pienaro", "product": "Gotcha | Gesture-based Captcha", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Gotcha | Gesture-based Captcha plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'menu' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Gotcha | Gesture-based Captcha <= 1.0.0 - Reflected Cross-Site Scripting via menu Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e7f1fe6-0a23-48e1-a75f-f8c1c8d4f8e0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gotcha-gesture-based-captcha/trunk/admin/libs/setting.php#L223"}, {"url": "https://wordpress.org/plugins/gotcha-gesture-based-captcha/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-03-21T17:56:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-01T16:25:17.862141Z", "id": "CVE-2025-2482", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T16:25:28.341Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2482", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-01T16:25:17.862141Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T16:25:23.770Z"}}], "cna": {"title": "Gotcha | Gesture-based Captcha <= 1.0.0 - Reflected Cross-Site Scripting via menu Parameter", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "pienaro", "product": "Gotcha | Gesture-based Captcha", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-21T17:56:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e7f1fe6-0a23-48e1-a75f-f8c1c8d4f8e0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gotcha-gesture-based-captcha/trunk/admin/libs/setting.php#L223"}, {"url": "https://wordpress.org/plugins/gotcha-gesture-based-captcha/#developers"}], "descriptions": [{"lang": "en", "value": "The Gotcha | Gesture-based Captcha plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'menu' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:42.385Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2482", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:42.385Z", "dateReserved": "2025-03-17T22:47:55.832Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-22T06:41:11.639Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Gotcha | Gesture-based Captcha plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'menu' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Gotcha | Gesture-based Captcha para WordPress es vulnerable a Cross-Site Scripting reflejado a trav\u00e9s del par\u00e1metro 'menu' en todas las versiones hasta la 1.0.0 incluida, debido a una depuraci\u00f3n de entrada y al escape de salida insuficiente. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar al usuario para que realice una acci\u00f3n, como hacer clic en un enlace."}], "id": "CVE-2025-2482", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-22T07:15:25.307", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gotcha-gesture-based-captcha/trunk/admin/libs/setting.php#L223"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/gotcha-gesture-based-captcha/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e7f1fe6-0a23-48e1-a75f-f8c1c8d4f8e0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:48:13.862194+00:00", "value": {"mitigation_remediation": ["Upgrade Gotcha \u2502 Gesture\u2011based Captcha to a version that removes the vulnerable 'menu' parameter handling (check the vendor changelog for a fix).", "If an update is not immediately possible, disable or sanitize the 'menu' parameter in the plugin\u2019s source code or through a custom filter to prevent reflected script injection.", "Implement a strict Content Security Policy that blocks inline scripts and restricts script sources to trusted origins, reducing the impact if an attacker succeeds in injecting payloads."], "summary": {"action": "Update plugin", "impact": "Reflected Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The issue affects all installations of the Gotcha \u2502 Gesture\u2011based Captcha plugin published by Pienaro. Any WordPress site running version 1.0.0 or earlier is vulnerable; newer releases are not mentioned as affected by the vendor.", "description_and_impact": "This vulnerability is a reflected cross\u2011site scripting flaw in the Gotcha \u2502 Gesture\u2011based Captcha WordPress plugin. The flaw exists because the 'menu' parameter is not properly sanitized or escaped, allowing an attacker to inject arbitrary JavaScript that runs when a victim follows a crafted link. The weakness is a classic input validation issue, identified as CWE\u201179, and permits unauthenticated exploitation without needing special permissions. When triggered, the injected script can steal session cookies, deface the page, or redirect the user, compromising confidentiality, integrity, and availability of the site.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, and the EPSS score of less than 1% shows a very low but non\u2011zero probability of exploitation. The plugin is not listed in the CISA KEV catalog, which means there are no known active exploits reported. Because the vulnerability can be triggered by an unauthenticated user via a malicious link, the attack vector is most likely social engineering or phishing. An attacker does not need to log in, but relies on user interaction to execute the injected code."}}}}, "created": "2026-04-21T22:00:26.592891+00:00", "updated": "2026-04-21T22:00:26.592902+00:00", "vendors": []}