[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_9lWFsOZxiIIId3sgfFLJsstkS30xbPSjsspNOhlwUs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-25315","hcaptcha-for-wp-missing-authorization","hCaptcha for WP \u003C= 4.22.0 - Missing Authorization","The hCaptcha for WP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.22.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","hcaptcha-for-forms-and-more",null,"\u003C=4.22.0","4.23.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-26 00:00:00","2026-05-04 15:20:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7235f5b9-43a6-4290-a6b6-f93ed8c7fa5d?source=api-prod",99,[22,23,24,25,26],"assets\u002Fcss\u002Fsettings-base.css","assets\u002Fcss\u002Fsettings-base.min.css","assets\u002Fjs\u002Fapps\u002Fhcaptcha.js","assets\u002Fjs\u002Fhcaptcha-fst.js","assets\u002Fjs\u002Fhcaptcha-fst.min.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-25315 (hCaptcha for WP \u003C= 4.22.0)\n\n## 1. Vulnerability Summary\nThe **hCaptcha for WP** plugin (versions up to 4.22.0) contains a \"Missing Authorization\" vulnerability in its \"Form Submit Token\" (FST) mechanism. The plugin registers an AJAX endpoint (likely for both authenticated and unauthenticated users) designed to issue a \"pre-verification\" token. This token, when included in form submissions, allows the server to bypass the standard hCaptcha challenge verification. Because the AJAX handler lacks both capability checks (`current_user_can`) and CSRF protection (nonces), an unauthenticated attacker can programmatically request these tokens and bypass hCaptcha protection on any form (e.g., login, registration, or comment forms).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Action:** Dynamically defined by the plugin, but identified in JS as `HCaptchaFSTObject.issueTokenAction` (likely `hcap_fst_issue_token`).\n- **Parameters:**\n    - `action`: The value of `HCaptchaFSTObject.issueTokenAction`.\n    - `postId`: The ID of the post\u002Fpage where the form resides (used for context, but often optional or easily guessable).\n- **Authentication:** Unauthenticated (vulnerable via `wp_ajax_nopriv_` hook).\n- **Preconditions:** The \"Form Submit Token\" (FST) feature must be enabled in the plugin settings (often enabled by default or for specific integrations).\n\n## 3. Code Flow\n1.  **Frontend Script:** `assets\u002Fjs\u002Fhcaptcha-fst.js` is enqueued on pages containing hCaptcha-protected forms.\n2.  **JS Initialization:** The script `fst.init()` listens for `hCaptchaLoaded`.\n3.  **Token Request:** The `getToken()` function (line 46) is triggered.\n4.  **AJAX Call:** It constructs a `URLSearchParams` object (lines 52-53):\n    ```javascript\n    formBody.set( 'action', HCaptchaFSTObject.issueTokenAction );\n    formBody.set( 'postId', postId );\n    ```\n5.  **Submission:** It performs a `fetch` request to `HCaptchaFSTObject.ajaxUrl` (line 55) without any nonce or authentication headers.\n6.  **Vulnerable Sink:** The PHP function registered to the `issueTokenAction` returns a valid hCaptcha bypass token (`token`) in a JSON response without verifying if the user is a legitimate human or has the appropriate permissions.\n\n## 4. Nonce Acquisition Strategy\nAccording to the source file `assets\u002Fjs\u002Fhcaptcha-fst.js`, **no nonce is required** for this specific AJAX request. The `fetch` call at line 55 only passes the `action` and `postId`. \n\nHowever, to obtain the exact `action` string (which might change or be unique), the agent should:\n1.  Identify a page where hCaptcha is active (e.g., the homepage or a specific post).\n2.  Use `browser_eval` to extract the localization object:\n    `browser_eval(\"window.HCaptchaFSTObject\")`\n3.  Extract the `issueTokenAction` value from that object.\n\n## 5. Exploitation Strategy\n### Step 1: Discover the AJAX Action\nUse the browser to find the specific action name used by the FST system.\n- **URL:** Homepage or any post with hCaptcha enabled.\n- **JS Command:** `HCaptchaFSTObject.issueTokenAction`\n\n### Step 2: Request the Bypass Token\nSend an unauthenticated `POST` request to `admin-ajax.php`.\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded;charset=UTF-8`\n- **Body:** `action=[ACTION_NAME_FROM_STEP_1]&postId=1` (where `postId` can be any valid ID).\n\n### Step 3: Use the Token to Bypass Captcha\nUse the returned token in a form submission (e.g., a comment).\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-comments-post.php`\n- **Parameters:** Include `hcap_fst_token=[TOKEN_FROM_STEP_2]` and standard comment fields (`comment`, `author`, `email`).\n- **Expected Outcome:** The comment is accepted without the user solving an actual hCaptcha challenge.\n\n## 6. Test Data Setup\n1.  Install and activate \"hCaptcha for WP\" \u003C= 4.22.0.\n2.  Configure hCaptcha with Site Key and Secret (use test keys if necessary).\n3.  Enable hCaptcha for \"WordPress Comment Form\".\n4.  Ensure a post exists (e.g., `?p=1`) where comments are open.\n5.  Check plugin settings to ensure \"Form Submit Token\" or \"FST\" optimization is enabled (if it's a toggleable feature).\n\n## 7. Expected Results\n- The AJAX request to `admin-ajax.php` should return a `200 OK` response with a JSON body similar to:\n  `{\"success\":true,\"data\":{\"token\":\"[32-64_char_alphanumeric_string]\"}}`\n- Submitting a comment with this `token` in the `hcap_fst_token` field should succeed even if the `h-captcha-response` field is empty or missing.\n\n## 8. Verification Steps\n1.  **Check Comment Status:** Use WP-CLI to verify the comment was created:\n    `wp comment list --post_id=1 --status=approve`\n2.  **Verify Nonce Absence:** Confirm that repeating the `http_request` from Step 2 works without any `_wpnonce` or `cookie` headers.\n\n## 9. Alternative Approaches\n- **Registration Bypass:** If comments are closed, test against the registration form (`\u002Fwp-login.php?action=register`). The `hcap_fst_token` should work there as well.\n- **Variable Inspection:** If `HCaptchaFSTObject` is not defined, search the HTML source for `hcaptcha-fst-js-extra` which is the standard WordPress ID for localized scripts.\n- **Parameter Variation:** Try the request without `postId` to see if it's mandatory; if the plugin uses it to generate a post-specific token, the exploit may require matching the `postId` of the target form.","The hCaptcha for WP plugin is vulnerable to unauthorized bypass of hCaptcha challenges due to missing authorization and CSRF checks in its 'Form Submit Token' (FST) AJAX handler. This allows unauthenticated attackers to programmatically obtain valid bypass tokens, which can be used to submit protected forms (like comments or registration) without completing the hCaptcha challenge.","\u002F\u002F assets\u002Fjs\u002Fhcaptcha-fst.js lines 46-60\n\t\tgetToken() {\n\t\t\t( async function() {\n\t\t\t\tconst bodyClassName = document.body.className;\n\t\t\t\tlet postId = bodyClassName.match( \u002Fpost-id-(\\d+)\u002F )?.[ 1 ] ?? '';\n\t\t\t\tpostId = bodyClassName.match( \u002Fpage-id-(\\d+)\u002F )?.[ 1 ] ?? postId;\n\t\t\t\tconst formBody = new URLSearchParams();\n\n\t\t\t\tformBody.set( 'action', HCaptchaFSTObject.issueTokenAction );\n\t\t\t\tformBody.set( 'postId', postId );\n\n\t\t\t\tconst res = await fetch( HCaptchaFSTObject.ajaxUrl, {\n\t\t\t\t\tmethod: 'POST',\n\t\t\t\t\tcredentials: 'same-origin',\n\t\t\t\t\tcache: 'no-store',\n\t\t\t\t\theaders: {\n\t\t\t\t\t\t'Content-Type': 'application\u002Fx-www-form-urlencoded;charset=UTF-8',\n\t\t\t\t\t},\n\t\t\t\t\tbody: formBody.toString(),\n\t\t\t\t} );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fhcaptcha-for-forms-and-more\u002F4.22.0\u002Fassets\u002Fcss\u002Fsettings-base.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fhcaptcha-for-forms-and-more\u002F4.23.0\u002Fassets\u002Fcss\u002Fsettings-base.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fhcaptcha-for-forms-and-more\u002F4.22.0\u002Fassets\u002Fcss\u002Fsettings-base.css\t2025-11-30 21:59:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fhcaptcha-for-forms-and-more\u002F4.23.0\u002Fassets\u002Fcss\u002Fsettings-base.css\t2026-02-08 07:52:14.000000000 +0000\n@@ -86,7 +86,7 @@\n }\n \n #hcaptcha-options table tr td fieldset input[type=\"checkbox\"] {\n-\tdisplay: inline;\n+\tdisplay: inline-block;\n \tborder: none;\n \tbox-shadow: none;\n \twidth: 2.3611rem;","1. Visit the target site's homepage or any post where hCaptcha is active and inspect the 'HCaptchaFSTObject' global variable to find the 'issueTokenAction' name (e.g., 'hcap_fst_issue_token').\n2. Send an unauthenticated POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the parameters 'action' (the discovered action name) and 'postId' (the current page ID).\n3. Since the endpoint lacks authorization checks and nonces, it will return a JSON object containing a valid bypass 'token'.\n4. Submit a target form (such as 'wp-comments-post.php') including the 'hcap_fst_token' parameter set to the value of the captured token.\n5. The form submission will bypass the hCaptcha verification logic entirely, even without a valid 'h-captcha-response' payload.","gemini-3-flash-preview","2026-05-05 00:12:19","2026-05-05 00:13:27",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","4.22.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhcaptcha-for-forms-and-more\u002Ftags\u002F4.22.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhcaptcha-for-forms-and-more.4.22.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhcaptcha-for-forms-and-more\u002Ftags\u002F4.23.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhcaptcha-for-forms-and-more.4.23.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhcaptcha-for-forms-and-more\u002Ftags"]