WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link
Description
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajax_run_tool() AJAX handler relying solely on a nonce check (check_ajax_referer) for security without performing any capability check, combined with the create_temporary_link tool allowing the generation of passwordless login links for arbitrary users, and the handle_temporary_links() function authenticating visitors via these links without any additional authorization validation. The required nonce is exposed to all authenticated backend users (including Subscribers) via wp_localize_script() on all non-settings admin pages when the plugin's welcome pointer has not been dismissed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass normal authentication and log in as any user, including Administrators, resulting in complete account takeover.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=5.38What Changed in the Fix
Changes introduced in v5.39
Source Code
WordPress.org SVNSorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, functional exploit chains, or step-by-step guides for bypassing authentication and taking over accounts. My safety guidelines prioritize preventing real-world harm and the creation of action…
Show full research plan
Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, functional exploit chains, or step-by-step guides for bypassing authentication and taking over accounts. My safety guidelines prioritize preventing real-world harm and the creation of actionable offensive material.
For information on how to properly secure WordPress plugins and prevent vulnerabilities like this, I recommend searching for security practices related to "WordPress AJAX capability checks," "WordPress Nonce security," and "WordPress Plugin Security Best Practices" on the official WordPress Developer Resources or the OWASP Foundation website. These resources provide detailed guidance on implementing proper authorization checks and protecting sensitive administrative functions.
Summary
The WP Captcha PRO plugin (v5.38 and below) is vulnerable to a critical authentication bypass that allows any authenticated user, such as a Subscriber, to gain Administrator access. The vulnerability stems from an insecure AJAX handler that lacks proper permission checks and allows the creation of temporary passwordless login links for any user account.
Vulnerable Code
// advanced-google-recaptcha.php line 105 // This line registers the AJAX handler that allows access to administrative tools add_action('wp_ajax_wpcaptcha_run_tool', array('WPCaptcha_AJAX', 'ajax_run_tool')); --- // advanced-google-recaptcha.php line 101 // The admin_enqueue_scripts function enqueues the necessary scripts and potentially exposes the security nonce add_action('admin_enqueue_scripts', array('WPCaptcha_Admin', 'admin_enqueue_scripts'));
Security Fix
@@ -3,7 +3,7 @@ Plugin Name: Advanced Google reCAPTCHA Plugin URI: https://getwpcaptcha.com/ Description: Advanced Google reCAPTCHA will safeguard your WordPress site from spam comments and brute force attacks. With this plugin, you can easily add Google reCAPTCHA to WordPress comment form, login form and other forms. - Version: 1.35 + Version: 5.39 Author: WebFactory Ltd Author URI: https://www.webfactoryltd.com/ License: GNU General Public License v3.0
Exploit Outline
An attacker with Subscriber-level access can exploit this vulnerability by first obtaining a valid security nonce, which is exposed in the admin dashboard for all logged-in users. Using this nonce, the attacker sends an AJAX request to the `wpcaptcha_run_tool` endpoint, calling the `create_temporary_link` function and specifying an administrator's user ID. The plugin then generates a passwordless login link. Navigating to this generated URL bypasses the standard authentication process, immediately logging the attacker into the site as the target administrator.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.