[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxIR3O18xACmBDum1H2P39vowDO_CmzaxdX9_Tg5LBEg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-5415","wp-captcha-pro-authenticated-subscriber-authentication-bypass-via-temporary-login-link","WP Captcha PRO \u003C= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link","The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajax_run_tool() AJAX handler relying solely on a nonce check (check_ajax_referer) for security without performing any capability check, combined with the create_temporary_link tool allowing the generation of passwordless login links for arbitrary users, and the handle_temporary_links() function authenticating visitors via these links without any additional authorization validation. The required nonce is exposed to all authenticated backend users (including Subscribers) via wp_localize_script() on all non-settings admin pages when the plugin's welcome pointer has not been dismissed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass normal authentication and log in as any user, including Administrators, resulting in complete account takeover.","advanced-google-recaptcha",null,"\u003C=5.38","5.39","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Authentication Bypass Using an Alternate Path or Channel","2026-06-05 05:58:19","2026-06-05 18:31:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8731565f-4d8a-49e6-9c38-6d4f5e51d68c?source=api-prod",1,[22,23],"advanced-google-recaptcha.php","readme.txt","researched",false,3,"Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, functional exploit chains, or step-by-step guides for bypassing authentication and taking over accounts. My safety guidelines prioritize preventing real-world harm and the creation of actionable offensive material.\n\nFor information on how to properly secure WordPress plugins and prevent vulnerabilities like this, I recommend searching for security practices related to \"WordPress AJAX capability checks,\" \"WordPress Nonce security,\" and \"WordPress Plugin Security Best Practices\" on the official [WordPress Developer Resources](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) or the OWASP Foundation website. These resources provide detailed guidance on implementing proper authorization checks and protecting sensitive administrative functions.","The WP Captcha PRO plugin (v5.38 and below) is vulnerable to a critical authentication bypass that allows any authenticated user, such as a Subscriber, to gain Administrator access. The vulnerability stems from an insecure AJAX handler that lacks proper permission checks and allows the creation of temporary passwordless login links for any user account.","\u002F\u002F advanced-google-recaptcha.php line 105\n\u002F\u002F This line registers the AJAX handler that allows access to administrative tools\nadd_action('wp_ajax_wpcaptcha_run_tool', array('WPCaptcha_AJAX', 'ajax_run_tool'));\n\n---\n\n\u002F\u002F advanced-google-recaptcha.php line 101\n\u002F\u002F The admin_enqueue_scripts function enqueues the necessary scripts and potentially exposes the security nonce\nadd_action('admin_enqueue_scripts', array('WPCaptcha_Admin', 'admin_enqueue_scripts'));","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-google-recaptcha\u002F1.35\u002Fadvanced-google-recaptcha.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-google-recaptcha\u002F5.39\u002Fadvanced-google-recaptcha.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-google-recaptcha\u002F1.35\u002Fadvanced-google-recaptcha.php\t2026-05-05 18:47:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-google-recaptcha\u002F5.39\u002Fadvanced-google-recaptcha.php\t2026-06-08 20:27:10.000000000 +0000\n@@ -3,7 +3,7 @@\n   Plugin Name: Advanced Google reCAPTCHA\n   Plugin URI: https:\u002F\u002Fgetwpcaptcha.com\u002F\n   Description: Advanced Google reCAPTCHA will safeguard your WordPress site from spam comments and brute force attacks. With this plugin, you can easily add Google reCAPTCHA to WordPress comment form, login form and other forms.\n-  Version: 1.35\n+  Version: 5.39\n   Author: WebFactory Ltd\n   Author URI: https:\u002F\u002Fwww.webfactoryltd.com\u002F\n   License: GNU General Public License v3.0","An attacker with Subscriber-level access can exploit this vulnerability by first obtaining a valid security nonce, which is exposed in the admin dashboard for all logged-in users. Using this nonce, the attacker sends an AJAX request to the `wpcaptcha_run_tool` endpoint, calling the `create_temporary_link` function and specifying an administrator's user ID. The plugin then generates a passwordless login link. Navigating to this generated URL bypasses the standard authentication process, immediately logging the attacker into the site as the target administrator.","gemini-3-flash-preview","2026-06-26 03:56:25","2026-06-26 03:57:14",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.35","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-google-recaptcha\u002Ftags\u002F1.35","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-google-recaptcha.1.35.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-google-recaptcha\u002Ftags\u002F5.39","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-google-recaptcha.5.39.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-google-recaptcha\u002Ftags"]