A Cross‑Site Request Forgery flaw in the WordPress reCAPTCHA for all plugin allows a malicious site to cause a victim who is logged into the WordPress admin to send unwanted requests to the site. The vulnerability can lead to unauthorized changes to site settings, content, or user actions, depending on the capabilities granted to the authenticated user. It is a classic CSRF weakness identified as CWE‑352 and does not grant arbitrary code execution by itself.

The defect affects the sminozzi reCAPTCHA for all plugin for WordPress. All releases from the earliest available version through and including 2.26 are impacted. Any WordPress installation utilizing a version 2.26 or older of this plugin is potentially vulnerable.

The CVSS score of 4.3 classifies the issue as medium severity, while the EPSS score of less than 1% indicates a very low but non‑zero probability that the flaw will be actively exploited in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely abused. Based on the description, it is inferred that the attack vector involves a victim who is authenticated visiting a malicious website, which then forces an unwanted request to the WordPress admin area; therefore the exploitation is user‑initiated and depends on the victim’s browsing habits. No additional credentials or network privileges are required to exploit the flaw.