Cross‑Site Request Forgery (CSRF) in Image Captcha version 1.2 allows a malicious site to forge requests that change the plugin’s configuration settings. The flaw is a classic CSRF weakness (CWE‑352). If an authenticated WordPress site administrator or any user with permission to modify the plugin settings is tricked into visiting a crafted page, the attacker can alter parameters such as CAPTCHA difficulty or disable the feature, potentially undermining the site’s security posture or enabling further attacks.

The vulnerability affects the WordPress Image Captcha plugin provided by captcha.soft, specifically all released versions up to and including 1.2. WordPress sites that have installed this plugin and have not upgraded past 1.2 are at risk.

Attackers can exploit the vulnerability by sending a forged request to the plugin’s settings endpoint. The description does not specify that the victim must be lured to a malicious page or that authentication is required; the EPSS score of 0.00084 indicates a very low probability of exploitation in the wild, and the flaw is not listed in CISA KEV. If successful, the attacker can modify or disable the CAPTCHA configuration, potentially facilitating further attacks or degrading site security. Defenders should prioritize upgrading the plugin or implementing CSRF defenses to mitigate this risk.