[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5WKYVbysngm9oTJNgu8XKK8Sr9ymAcZ5C2vQhRInkXA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4121","kcaptcha-cross-site-request-forgery-to-settings-update","Kcaptcha \u003C= 1.0.1 - Cross-Site Request Forgery to Settings Update","The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler (admin\u002Fsetting.php). The settings form does not include a wp_nonce_field() and the form processing code does not call wp_verify_nonce() or check_admin_referer() before saving settings to the database via $wpdb->update(). This makes it possible for unauthenticated attackers to modify the plugin's CAPTCHA settings (enabling or disabling CAPTCHA on login, registration, lost password, and comment forms) via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.","kcaptcha",null,"\u003C=1.0.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-21 19:07:38","2026-04-22 07:45:40",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa6c1c73b-76e3-4cb9-ad53-9d5d4e7519c9?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-4121 (Kcaptcha CSRF)\n\n## 1. Vulnerability Summary\nThe **Kcaptcha** plugin for WordPress (versions up to and including 1.0.1) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists in the plugin's settings management logic located in `admin\u002Fsetting.php`. The plugin fails to include a security nonce in the settings form and neglects to verify a nonce when processing the form submission. This allows an attacker to trick a logged-in administrator into involuntarily modifying the plugin's CAPTCHA configurations, potentially disabling security measures on critical forms (login, registration, etc.).\n\n## 2. Attack Vector Analysis\n* **Vulnerable Endpoint**: `wp-admin\u002Fadmin.php?page=kcaptcha` (inferred slug).\n* **HTTP Method**: POST.\n* **Vulnerable File**: `admin\u002Fsetting.php`.\n* **Vulnerable Logic**: The code lacks `wp_nonce_field()` in the HTML form and lacks `check_admin_referer()` or `wp_verify_nonce()` in the PHP processing block.\n* **Authentication Requirement**: Administrator (victim must be logged in).\n* **Preconditions**: An administrator must be induced to click a link or visit a page controlled by the attacker while their WordPress session is active.\n\n## 3. Code Flow\n1. **Registration**: The plugin registers an admin menu page, likely using `add_menu_page()` or `add_options_page()`, pointing to `admin\u002Fsetting.php` as the callback or included file.\n2. **Form Rendering**: When the admin visits the settings page, `admin\u002Fsetting.php` renders an HTML `\u003Cform>`. This form lacks the `\u003C?php wp_nonce_field(...); ?>` call.\n3. **Form Submission**: Upon clicking \"Save\" or \"Submit\", the browser sends a POST request to the same URL or `admin-post.php`.\n4. **Processing**: The top of `admin\u002Fsetting.php` (or an `admin_init` hook) checks if `$_POST` variables are present.\n5. **Database Sink**: Without any nonce check, the code proceeds to update settings in the database, specifically using `$wpdb->update()` on the plugin's configuration table (likely `wp_kcaptcha` or updating the `wp_options` table).\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required.**\nAccording to the vulnerability description, the plugin completely lacks nonce validation in the settings handler. An unauthenticated attacker does not need to bypass a nonce check; they only need to forge the request that an administrator would normally send.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that a POST request sent to the settings page can modify plugin options without a nonce.\n\n### Step-by-Step Plan:\n1. **Preparation**: Identify the exact POST parameters used by the plugin to toggle CAPTCHA. Based on the description, these likely correspond to:\n * `kcaptcha_login` (inferred)\n * `kcaptcha_registration` (inferred)\n * `kcaptcha_lostpassword` (inferred)\n * `kcaptcha_comment` (inferred)\n * `submit` (inferred - often used as a trigger)\n2. **Execution**: Use the `http_request` tool to send a POST request to `wp-admin\u002Fadmin.php?page=kcaptcha` with the admin's session cookies.\n3. **Payload**:\n * **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=kcaptcha`\n * **Method**: `POST`\n * **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n * **Body**: `kcaptcha_login=0&kcaptcha_registration=0&kcaptcha_lostpassword=0&kcaptcha_comment=0&submit=Save+Settings`\n\n## 6. Test Data Setup\n1. **Plugin Installation**: Install and activate the `kcaptcha` plugin (version \u003C= 1.0.1).\n2. **Initial Configuration**: Manually enable all CAPTCHA options in the admin UI to ensure we have a state to \"unset\" via CSRF.\n3. **Admin Victim**: Ensure an administrator user exists (default: `admin` \u002F `password`).\n4. **Session Acquisition**: The agent must obtain the admin cookies to simulate the CSRF attack.\n\n## 7. Expected Results\n* The server should return a `200 OK` or a `302 Redirect` back to the settings page.\n* No \"Are you sure you want to do this?\" (WordPress's default nonce-failure message) should appear.\n* The database values for the CAPTCHA settings should be updated to the attacker-supplied values (e.g., all disabled).\n\n## 8. Verification Steps\nAfter the `http_request`, use WP-CLI to verify the change in state:\n1. **Check Options Table**: \n `wp option get kcaptcha_settings` (inferred name) \n *OR*\n2. **Check Plugin Table**: \n `wp db query \"SELECT * FROM wp_kcaptcha\"` (inferred table name)\n3. **Check Front-end**:\n Navigate to the login page (`\u002Fwp-login.php`) and verify that the CAPTCHA field is no longer visible.\n\n## 9. Alternative Approaches\nIf the settings are not stored in `wp_options` or a custom table, they might be stored as individual options. \n* **Individual Option Check**: `wp option get kcaptcha_login`\n* **Form Discovery**: If the inferred parameters are incorrect, the agent should first perform a `GET` request to `wp-admin\u002Fadmin.php?page=kcaptcha` and use `browser_eval` to extract all input names from the form:\n `browser_eval(\"Array.from(document.querySelectorAll('input[name]')).map(i => i.name)\")`\n\nThis discovery step ensures the POST payload matches the exact version of the plugin being tested.","The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.0.1. This vulnerability exists because the plugin's settings page handler in 'admin\u002Fsetting.php' does not implement nonce validation, allowing attackers to modify CAPTCHA configurations by tricking an administrator into submitting a forged request.","\u002F\u002F admin\u002Fsetting.php (approximate based on description)\n\nif (isset($_POST['submit'])) {\n \u002F\u002F Vulnerable: No check_admin_referer() or wp_verify_nonce() call here\n $wpdb->update($wpdb->prefix . 'kcaptcha', array(\n 'login' => $_POST['kcaptcha_login'],\n 'registration' => $_POST['kcaptcha_registration'],\n 'lostpassword' => $_POST['kcaptcha_lostpassword'],\n 'comment' => $_POST['kcaptcha_comment']\n ), array('id' => 1));\n}\n\n\u002F\u002F ---\n\n\u002F\u002F admin\u002Fsetting.php (form rendering)\n\n\u003Cform method=\"post\" action=\"\">\n \u003C!-- Vulnerable: Missing wp_nonce_field() -->\n \u003Cinput type=\"checkbox\" name=\"kcaptcha_login\" value=\"1\">\n \u003Cinput type=\"submit\" name=\"submit\" value=\"Save\">\n\u003C\u002Fform>","--- admin\u002Fsetting.php\n+++ admin\u002Fsetting.php\n@@ -1,4 +1,5 @@\n if (isset($_POST['submit'])) {\n+ check_admin_referer('kcaptcha_update_settings');\n $wpdb->update($wpdb->prefix . 'kcaptcha', array(\n 'login' => $_POST['kcaptcha_login'],\n 'registration' => $_POST['kcaptcha_registration'],\n@@ -10,4 +11,5 @@\n ...\n \u003Cform method=\"post\" action=\"\">\n+ \u003C?php wp_nonce_field('kcaptcha_update_settings'); ?>\n \u003Cinput type=\"checkbox\" name=\"kcaptcha_login\" value=\"1\">\n \u003Cinput type=\"submit\" name=\"submit\" value=\"Save\">","The exploit targets the plugin's settings management endpoint. An unauthenticated attacker crafts a malicious HTML page containing a hidden form that targets 'wp-admin\u002Fadmin.php?page=kcaptcha' via the POST method. The form contains parameters such as 'kcaptcha_login=0', 'kcaptcha_registration=0', and 'submit=Save', which are intended to disable the CAPTCHA functionality. When a logged-in administrator visits the attacker's page, the form is automatically submitted using the administrator's session cookies. Since the plugin lacks nonce verification, it processes the request and updates the database settings, effectively disabling CAPTCHA protections across the site.","gemini-3-flash-preview","2026-04-27 13:57:13","2026-04-27 13:57:32",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkcaptcha\u002Ftags"]