The vulnerability resides in the captcha.eu WordPress plugin and allows an attacker to trigger the server to send HTTP requests to arbitrary destinations by manipulating a supplied URL. Such Server Side Request Forgery can expose internal resources, leak sensitive information, or serve as a foothold for further attacks such as data exfiltration or privilege escalation. The weakness is a lack of input validation and sanitization, consistent with CWE‑918.

The Captcha.eu plugin from the vendor captcha.eu is affected. Versions up through 1.0.61, and any earlier releases, are vulnerable, while no information is available for versions newer than 1.0.61.

The CVSS score of 5.4 indicates a medium severity, and the EPSS score of less than 1% suggests a low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the plugin’s public exposure and the nature of SSRF, the attack is likely executable by any user who can reach the vulnerable endpoint—often requiring administrator or logged‑in privileges—though the exact authentication prerequisites are not provided. Exploitation would involve supplying a crafted URL that the plugin forwards without restriction, allowing the site to contact private or protected network services.