Description
Missing Authorization vulnerability in hcaptcha hCaptcha for WP hcaptcha-for-forms-and-more allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects hCaptcha for WP: from n/a through <= 4.21.1.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

The hCaptcha for WP plugin contains a missing authorization flaw (CWE‑862) that permits attackers to perform actions they are not authorized to execute. By bypassing proper permission checks before processing certain plugin operations, an attacker could view or modify protected resources within the WordPress site, potentially compromising its configuration and user data.

Affected Systems

Versions of the hCaptcha for WP plugin from the earliest available release through 4.21.1 are affected. Any WordPress installation that includes one of these plugin versions is susceptible, particularly if a user account has permission to access the plugin’s settings or form configuration pages.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability is classified as moderate. The EPSS score is below 1 %, indicating a very low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through the WordPress administration interface that manages hCaptcha settings or forms; this inference is not explicitly stated in the CVE description. Based on the description, it is inferred that ownership of a user account with at least plugin‑configuration privileges is required to exploit the flaw, and no additional software is necessary beyond the standard WordPress environment.

Generated by OpenCVE AI on April 16, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the hCaptcha for WP plugin to version 4.22.0 or later.
  • Restrict WordPress user roles that can access the plugin’s configuration screens, ensuring only administrators have permission to alter hCaptcha settings.
  • Audit server and WordPress logs for anomalous plugin activity and investigate any suspicious changes.

Generated by OpenCVE AI on April 16, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improperly implemented security check vulnerability in KAGG hCaptcha for WP allows CAPTCHA Functionality Bypass.This issue affects hCaptcha for WP: from n/a through 4.21.1. The vulnerability is limited to the CAPTCHA mechanism intended to protect a publicly accessible form from automated abuse. It does not impact WordPress-level authentication or authorization controls. Missing Authorization vulnerability in hcaptcha hCaptcha for WP hcaptcha-for-forms-and-more allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects hCaptcha for WP: from n/a through <= 4.21.1.
Title WordPress hCaptcha for WP plugin <= 4.21.1 - Access Control (CAPCTHA) bypass vulnerability WordPress hCaptcha for WP plugin <= 4.21.1 - Broken Access Control vulnerability
Weaknesses CWE-358 CWE-862
References

Mon, 30 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
References

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in hcaptcha hCaptcha for WP hcaptcha-for-forms-and-more allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects hCaptcha for WP: from n/a through <= 4.22.0. Improperly implemented security check vulnerability in KAGG hCaptcha for WP allows CAPTCHA Functionality Bypass.This issue affects hCaptcha for WP: from n/a through 4.21.1. The vulnerability is limited to the CAPTCHA mechanism intended to protect a publicly accessible form from automated abuse. It does not impact WordPress-level authentication or authorization controls.
Title WordPress hCaptcha for WP plugin <= 4.22.0 - Broken Access Control vulnerability WordPress hCaptcha for WP plugin <= 4.21.1 - Access Control (CAPCTHA) bypass vulnerability
Weaknesses CWE-358
References

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Hcaptcha
Hcaptcha hcaptcha For Wp
Wordpress
Wordpress wordpress
Vendors & Products Hcaptcha
Hcaptcha hcaptcha For Wp
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in hcaptcha hCaptcha for WP hcaptcha-for-forms-and-more allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects hCaptcha for WP: from n/a through <= 4.22.0.
Title WordPress hCaptcha for WP plugin <= 4.22.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Hcaptcha Hcaptcha For Wp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:44.993Z

Reserved: 2026-02-02T12:20:47.810Z

Link: CVE-2026-25315

cve-icon Vulnrichment

Updated: 2026-02-20T16:26:14.176Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:15.773

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:00:09Z

Weaknesses