Description
Authentication Bypass by Spoofing vulnerability in bestwebsoft Google Captcha google-captcha allows Identity Spoofing.This issue affects Google Captcha: from n/a through <= 1.78.
Published: 2025-01-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability enables attackers to bypass the WordPress Google Captcha plugin and carry out authentication bypass (CWE–290). By subverting the reCaptcha verification, an attacker can impersonate legitimate users or submit form data without solving the CAPTCHA, which may allow unauthorized actions or content submission.

Affected Systems

WordPress sites that use the BestWebSoft Google Captcha plugin version 1.78 or earlier are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 signifies moderate severity. The EPSS score is below 1%, indicating a low but nonzero likelihood of exploitation. The issue is not listed in the KEV catalog. Attackers would need to craft requests that exploit the bypass logic, likely through standard form interactions, and may not require privileged access.

Generated by OpenCVE AI on May 1, 2026 at 18:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BestWebSoft Google Captcha plugin to the latest available version that fixes the bypass.
  • If an upgrade cannot be performed immediately, disable or remove the Google Captcha plugin from all public forms to eliminate the vulnerability while a patch is applied.
  • Verify that all authentication and form-processing functions enforce a valid CAPTCHA check after an update, ensuring no residual bypass routes remain.

Generated by OpenCVE AI on May 1, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3829 Authentication Bypass by Spoofing vulnerability in BestWebSoft Google Captcha allows Identity Spoofing. This issue affects Google Captcha: from n/a through 1.78.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authentication Bypass by Spoofing vulnerability in BestWebSoft Google Captcha allows Identity Spoofing. This issue affects Google Captcha: from n/a through 1.78. Authentication Bypass by Spoofing vulnerability in bestwebsoft Google Captcha google-captcha allows Identity Spoofing.This issue affects Google Captcha: from n/a through <= 1.78.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Mon, 27 Jan 2025 14:30:00 +0000

Type Values Removed Values Added
Description Authentication Bypass by Spoofing vulnerability in BestWebSoft Google Captcha allows Identity Spoofing. This issue affects Google Captcha: from n/a through 1.78.
Title WordPress reCaptcha by BestWebSoft Plugin <= 1.78 - Captcha Bypass vulnerability
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.306Z

Reserved: 2025-01-23T14:51:25.978Z

Link: CVE-2025-24628

cve-icon Vulnrichment

Updated: 2025-02-12T20:37:36.275Z

cve-icon NVD

Status : Deferred

Published: 2025-01-27T15:15:14.923

Modified: 2026-06-17T08:59:20.630

Link: CVE-2025-24628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:15:22Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing