Description
The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler (admin/setting.php). The settings form does not include a wp_nonce_field() and the form processing code does not call wp_verify_nonce() or check_admin_referer() before saving settings to the database via $wpdb->update(). This makes it possible for unauthenticated attackers to modify the plugin's CAPTCHA settings (enabling or disabling CAPTCHA on login, registration, lost password, and comment forms) via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Published: 2026-04-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery (CSRF) allowing attackers to change Kcaptcha settings
Action: Patch Immediately
AI Analysis

Impact

The Kcaptcha plugin fails to validate a nonce on its settings page, enabling unauthenticated attackers to submit forged requests that alter the plugin’s configuration. The attacker can disable CAPTCHA on login, registration, password reset, and comment forms, effectively removing a layer of defense against brute‑force and spam attacks. The vulnerability does not provide direct code execution but gives attackers indirect influence over site authentication and commenting workflows, potentially increasing the risk of credential stuffing, automated account creation, or comment flooding.

Affected Systems

ksolves Kcaptcha WordPress plugin, all versions up to and including 1.0.1. The issue resides in the admin/setting.php handler, which is used by site administrators to manage CAPTCHA options.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate severity; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires social engineering of a site administrator to submit a crafted HTTP request to the settings endpoint. Because no nonce or capability checks are performed, any attacker who can trick an admin into clicking a link can change the CAPTCHA settings, potentially disabling security controls and paving the way for automated attacks.

Generated by OpenCVE AI on April 22, 2026 at 09:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kcaptcha to the newest version (>=1.0.2) where nonce validation is implemented.
  • If you maintain a custom fork, add wp_nonce_field() to the settings form and call wp_verify_nonce() or check_admin_referer() before updating the database.
  • Restrict access to the settings page so only users with the 'manage_options' capability can load or submit the form, for example by adding a capability check at the top of admin/setting.php.
  • As a temporary workaround, if an upgrade is not possible, manually set the CAPTCHA options to their desired defaults in the database and apply a file‑watcher to detect unauthorized changes.

Generated by OpenCVE AI on April 22, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ksolves
Ksolves kcaptcha
Wordpress
Wordpress wordpress
Vendors & Products Ksolves
Ksolves kcaptcha
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler (admin/setting.php). The settings form does not include a wp_nonce_field() and the form processing code does not call wp_verify_nonce() or check_admin_referer() before saving settings to the database via $wpdb->update(). This makes it possible for unauthenticated attackers to modify the plugin's CAPTCHA settings (enabling or disabling CAPTCHA on login, registration, lost password, and comment forms) via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Title Kcaptcha <= 1.0.1 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Ksolves Kcaptcha
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T07:45:40.047Z

Reserved: 2026-03-13T13:31:45.845Z

Link: CVE-2026-4121

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T09:16:23.490

Modified: 2026-04-22T09:16:23.490

Link: CVE-2026-4121

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:43:57Z

Weaknesses