Description
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 5.38. This is due to a capability check in the save_ajax() function of the licensing module, combined with unrestricted file extraction in sync_cloud_protection(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files including PHP webshells to the server by injecting a malicious cloud_protection_url into the license meta, which the plugin then downloads and extracts without file type validation into a web-accessible uploads directory. This can be used for remote code execution. Note: The vulnerability can only be exploited with a remote URL if "allow_url_fopen" is enabled in the php.ini config.
Published: 2026-06-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Captcha PRO plugin, the premium version of the Advanced Google reCAPTCHA plugin, permits an authenticated attacker with Subscriber level or higher to perform arbitrary file uploads. The vulnerability originates from a missing capability check in the licensing module’s save_ajax() function combined with unrestricted extraction in sync_cloud_protection(). An attacker can inject a malicious cloud_protection_url in the license meta, causing the plugin to download and extract the payload into a web‑accessible uploads directory without validating the file type. This allows the placement of PHP webshells, enabling remote code execution. The flaw is categorized as CWE‑434 (Unrestricted Upload of File with Dangerous Type) and can only be exploited when PHP’s allow_url_fopen setting is enabled.

Affected Systems

The affected product is the Advanced Google reCAPTCHA plugin (WP Captcha PRO) for WordPress. All versions up to and including 5.38 are vulnerable. The plugin can be found on the official website https://getwpcaptcha.com and is distributed under the webfactory:Advanced Google reCAPTCHA vendor designation.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. Exploitation requires a network‐accessible WordPress installation with a logged‐in user of Subscriber level or higher and the server configuration must allow remote URL requests (allow_url_fopen = On). Once the file is uploaded, the attacker can execute arbitrary PHP code, potentially compromising the entire server and data.

Generated by OpenCVE AI on June 5, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Advanced Google reCAPTCHA plugin to version 5.39 or newer from the vendor.
  • If an immediate update is not possible, remove or disable the plugin until a secure release is available.
  • Configure the server to disable PHP’s allow_url_fopen directive or employ a web application firewall to block suspicious upload traffic.

Generated by OpenCVE AI on June 5, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 5.38. This is due to a capability check in the save_ajax() function of the licensing module, combined with unrestricted file extraction in sync_cloud_protection(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files including PHP webshells to the server by injecting a malicious cloud_protection_url into the license meta, which the plugin then downloads and extracts without file type validation into a web-accessible uploads directory. This can be used for remote code execution. Note: The vulnerability can only be exploited with a remote URL if "allow_url_fopen" is enabled in the php.ini config.
Title WP Captcha PRO <= 5.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:46:45.282Z

Reserved: 2026-04-02T07:07:02.783Z

Link: CVE-2026-5411

cve-icon Vulnrichment

Updated: 2026-06-06T11:46:40.158Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T19:16:34.860

Modified: 2026-06-05T19:20:19.607

Link: CVE-2026-5411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T20:45:04Z

Weaknesses