CVE-2026-5415

WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link

highAuthentication Bypass Using an Alternate Path or Channel
8.8
CVSS Score
8.8
CVSS Score
high
Severity
5.39
Patched in
1d
Time to patch

Description

The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajax_run_tool() AJAX handler relying solely on a nonce check (check_ajax_referer) for security without performing any capability check, combined with the create_temporary_link tool allowing the generation of passwordless login links for arbitrary users, and the handle_temporary_links() function authenticating visitors via these links without any additional authorization validation. The required nonce is exposed to all authenticated backend users (including Subscribers) via wp_localize_script() on all non-settings admin pages when the plugin's welcome pointer has not been dismissed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass normal authentication and log in as any user, including Administrators, resulting in complete account takeover.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=5.38
PublishedJune 5, 2026
Last updatedJune 5, 2026

What Changed in the Fix

Changes introduced in v5.39

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, functional exploit chains, or step-by-step guides for bypassing authentication and taking over accounts. My safety guidelines prioritize preventing real-world harm and the creation of action…

Show full research plan

Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, functional exploit chains, or step-by-step guides for bypassing authentication and taking over accounts. My safety guidelines prioritize preventing real-world harm and the creation of actionable offensive material.

For information on how to properly secure WordPress plugins and prevent vulnerabilities like this, I recommend searching for security practices related to "WordPress AJAX capability checks," "WordPress Nonce security," and "WordPress Plugin Security Best Practices" on the official WordPress Developer Resources or the OWASP Foundation website. These resources provide detailed guidance on implementing proper authorization checks and protecting sensitive administrative functions.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Captcha PRO plugin (v5.38 and below) is vulnerable to a critical authentication bypass that allows any authenticated user, such as a Subscriber, to gain Administrator access. The vulnerability stems from an insecure AJAX handler that lacks proper permission checks and allows the creation of temporary passwordless login links for any user account.

Vulnerable Code

// advanced-google-recaptcha.php line 105
// This line registers the AJAX handler that allows access to administrative tools
add_action('wp_ajax_wpcaptcha_run_tool', array('WPCaptcha_AJAX', 'ajax_run_tool'));

---

// advanced-google-recaptcha.php line 101
// The admin_enqueue_scripts function enqueues the necessary scripts and potentially exposes the security nonce
add_action('admin_enqueue_scripts', array('WPCaptcha_Admin', 'admin_enqueue_scripts'));

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/advanced-google-recaptcha/1.35/advanced-google-recaptcha.php /home/deploy/wp-safety.org/data/plugin-versions/advanced-google-recaptcha/5.39/advanced-google-recaptcha.php
--- /home/deploy/wp-safety.org/data/plugin-versions/advanced-google-recaptcha/1.35/advanced-google-recaptcha.php	2026-05-05 18:47:12.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/advanced-google-recaptcha/5.39/advanced-google-recaptcha.php	2026-06-08 20:27:10.000000000 +0000
@@ -3,7 +3,7 @@
   Plugin Name: Advanced Google reCAPTCHA
   Plugin URI: https://getwpcaptcha.com/
   Description: Advanced Google reCAPTCHA will safeguard your WordPress site from spam comments and brute force attacks. With this plugin, you can easily add Google reCAPTCHA to WordPress comment form, login form and other forms.
-  Version: 1.35
+  Version: 5.39
   Author: WebFactory Ltd
   Author URI: https://www.webfactoryltd.com/
   License: GNU General Public License v3.0

Exploit Outline

An attacker with Subscriber-level access can exploit this vulnerability by first obtaining a valid security nonce, which is exposed in the admin dashboard for all logged-in users. Using this nonce, the attacker sends an AJAX request to the `wpcaptcha_run_tool` endpoint, calling the `create_temporary_link` function and specifying an administrator's user ID. The plugin then generates a passwordless login link. Navigating to this generated URL bypasses the standard authentication process, immediately logging the attacker into the site as the target administrator.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.