Description
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajax_run_tool() AJAX handler relying solely on a nonce check (check_ajax_referer) for security without performing any capability check, combined with the create_temporary_link tool allowing the generation of passwordless login links for arbitrary users, and the handle_temporary_links() function authenticating visitors via these links without any additional authorization validation. The required nonce is exposed to all authenticated backend users (including Subscribers) via wp_localize_script() on all non-settings admin pages when the plugin's welcome pointer has not been dismissed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass normal authentication and log in as any user, including Administrators, resulting in complete account takeover.
Published: 2026-06-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WP Captcha PRO versions up to 5.38 contain a vulnerability that allows an attacker with subscriber‑level access to bypass normal WordPress authentication and become any user, including administrators. The flaw arises because the ajax_run_tool() handler relies only on a nonce check and the temporary link feature creates passwordless login links for any user. The necessary nonce is exposed through wp_localize_script() on all non‑settings admin pages when the welcome pointer has not been dismissed, so a legitimate subscriber can send a crafted AJAX request and obtain a temporary link that logs them in as the target account. Once logged in, the attacker gains full control of that account’s privileges and can perform any action allowed to the target user.

Affected Systems

The affected product is the WP Captcha PRO (Advanced Google reCAPTCHA) plugin for WordPress, version 5.38 or earlier. Only installations running the premium plugin under that version name are impacted.

Risk and Exploitability

The vulnerability scores a CVSS of 8.8, indicating a high severity. While EPSS is not available, the lack of a KEV listing means it has not been identified as a widely exploited vulnerability by CISA, though the high score suggests it could be targeted. The attack requires legitimate subscriber access, so it is limited to authenticated users who have not dismissed the plugin’s welcome pointer. Once the attacker calls the vulnerable AJAX endpoint, no additional authorization checks are performed, enabling a straight account takeover with no need for further exploitation steps.

Generated by OpenCVE AI on June 5, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Captcha PRO to the latest version (5.39 or newer) to remove the vulnerable AJAX handler and temporary link feature.
  • If an upgrade is not possible, deactivate or uninstall the plugin to eliminate the attack surface.
  • After disabling the plugin, review site audit logs for unauthorized login attempts and ensure all temporary links are revoked or invalidated if they were previously issued.

Generated by OpenCVE AI on June 5, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajax_run_tool() AJAX handler relying solely on a nonce check (check_ajax_referer) for security without performing any capability check, combined with the create_temporary_link tool allowing the generation of passwordless login links for arbitrary users, and the handle_temporary_links() function authenticating visitors via these links without any additional authorization validation. The required nonce is exposed to all authenticated backend users (including Subscribers) via wp_localize_script() on all non-settings admin pages when the plugin's welcome pointer has not been dismissed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass normal authentication and log in as any user, including Administrators, resulting in complete account takeover.
Title WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:46:59.327Z

Reserved: 2026-04-02T09:01:20.853Z

Link: CVE-2026-5415

cve-icon Vulnrichment

Updated: 2026-06-06T11:46:54.160Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T19:16:35.070

Modified: 2026-06-05T19:20:19.607

Link: CVE-2026-5415

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T20:45:04Z

Weaknesses