HIGH 8.8

CVE-2026-5411: WP Captcha PRO Arbitrary File Upload & Remote Code Execution

WP Captcha PRO, a WordPress security plugin, contains a flaw that allows attackers with basic user accounts to upload and execute malicious code on affected websites. The vulnerability stems from insufficient validation when the plugin downloads and extracts files as part of its cloud protection feature. An attacker can trick the plugin into downloading a malicious archive, which it will extract into a publicly accessible folder, enabling remote code execution. This requires the attacker to have at least Subscriber-level access to WordPress and depends on certain PHP server configurations being enabled.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-434
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 5.38. This is due to a capability check in the save_ajax() function of the licensing module, combined with unrestricted file extraction in sync_cloud_protection(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files including PHP webshells to the server by injecting a malicious cloud_protection_url into the license meta, which the plugin then downloads and extracts without file type validation into a web-accessible uploads directory. This can be used for remote code execution. Note: The vulnerability can only be exploited with a remote URL if "allow_url_fopen" is enabled in the php.ini config.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-5411 affects WP Captcha PRO through version 5.38 and involves a combination of two weaknesses in the licensing module. The save_ajax() function fails to properly enforce capability checks, allowing lower-privileged authenticated users to modify license metadata. The sync_cloud_protection() function then processes this metadata without validating file types or archive contents during extraction. When allow_url_fopen is enabled on the server, an attacker can inject a malicious cloud_protection_url into the license meta, causing the plugin to fetch and extract an attacker-controlled archive directly into the WordPress uploads directory (or other web-accessible paths). No file type restrictions are enforced during extraction, permitting PHP files and webshells to be written to disk and executed by the web server.

Business impact

Successful exploitation enables complete server compromise through remote code execution. An attacker can establish persistent backdoors, steal sensitive data including customer information and database credentials, modify website content, inject malware for further distribution, or launch attacks against your infrastructure and connected systems. The attack surface is broad because it only requires Subscriber-level access—a privilege level often held by numerous users, including contributors, temporary staff, or compromised accounts. For multi-site WordPress installations, a single compromised account poses organization-wide risk.

Affected systems

All versions of WP Captcha PRO up to and including version 5.38 are vulnerable. The Advanced Google reCAPTCHA plugin (free version) shares the same slug but has not been identified as affected by this specific vulnerability. Exploitation requires: (1) WP Captcha PRO to be active, (2) the attacker to have authenticated access at Subscriber level or higher, and (3) the target server to have allow_url_fopen enabled in php.ini. Systems with allow_url_fopen disabled mitigate remote URL exploitation, though local file inclusion vectors should be evaluated.

Exploitability

Exploitation is straightforward once initial access is obtained. The attack requires no user interaction, no clicking of malicious links by administrators, and succeeds reliably if conditions are met. The primary barrier is obtaining valid WordPress credentials; however, Subscriber access is the lowest privileged user role that can log in, making credential compromise, account enumeration, or brute force attacks realistic threat scenarios. No advanced exploitation skills are needed—the vulnerability is a logical flaw rather than a memory corruption or timing-dependent issue. The CVSS score of 8.8 (HIGH) reflects the ease of exploitation and severity of impact.

Remediation

Update WP Captcha PRO to the first patched version released after 5.38. Verify the availability of a patched release through the plugin's official repository or vendor advisory before upgrading. Additionally, review and restrict PHP configurations: disable allow_url_fopen in php.ini if not required by other applications, implement strict file upload restrictions at the web server level, and enforce principle of least privilege for WordPress user roles. Audit existing user accounts and revoke unnecessary Subscriber+ permissions. Consider implementing Web Application Firewall (WAF) rules to detect and block suspicious license meta modifications.

Patch guidance

Apply updates as soon as a patched version is released. Visit the WordPress Plugin Directory or contact the plugin vendor directly to confirm the version that resolves this vulnerability. Before deployment, test patches in a staging environment to ensure compatibility with active themes and plugins. If you are unable to patch immediately, apply compensating controls: disable allow_url_fopen, restrict Subscriber+ account creation, monitor license-related database changes, and disable the cloud protection feature if not essential. Document the timeline for patching and communicate urgently with stakeholders given the HIGH severity rating.

Detection guidance

Monitor WordPress user accounts with Subscriber level or above for suspicious activity. Log and alert on modifications to the 'license' or 'cloud_protection_url' meta fields, particularly if modified by non-admin accounts. Check web server access logs for unusual file creation events in the uploads directory, especially for PHP files. Use security plugins or WAF rules to inspect POST requests to the licensing module's save_ajax() function for anomalous metadata. Examine the wp-uploads directory for newly created files with unexpected MIME types (e.g., PHP within a ZIP or TAR archive). Correlate file creation timestamps with user login events to identify the source. Review web server error logs for execution of PHP files in unusual locations.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH CVSS score (8.8), low barrier to exploitation, and direct path to remote code execution. Unlike vulnerabilities requiring administrative access or complex social engineering, this threat can be realized by any user account at Subscriber level or above. Given the commonality of WordPress sites and the potential for widespread WordPress account compromise through credential stuffing or weak passwords, the risk to your infrastructure is substantial. The lack of CISA KEV status does not diminish urgency; internal prioritization should treat this as critical.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) is driven by: (1) Network vector (AV:N)—attack is remote, (2) Low complexity (AC:L)—no special conditions required beyond basic authentication, (3) Low privilege requirement (PR:L)—Subscriber role is the lowest user level, (4) No user interaction needed (UI:N), (5) Unchanged scope (S:U), and (6) High impact across confidentiality, integrity, and availability (C:H/I:H/A:H)—full system compromise via code execution. This score accurately reflects the severity and exploitability of the vulnerability.

Frequently asked questions

Do we need to disable the plugin entirely while waiting for a patch?

Disabling WP Captcha PRO prevents exploitation but removes its reCAPTCHA protection against bots and automated attacks. If you can quickly apply a patch (ideally within hours to days), maintain the plugin while restricting user access and monitoring closely. If patching will be significantly delayed, evaluate the trade-off between bot protection and remote code execution risk. In high-security environments, disable the plugin temporarily.

Our server has allow_url_fopen disabled. Are we safe from this CVE?

Disabling allow_url_fopen blocks exploitation via remote URLs injected into the cloud_protection_url field. However, you are not entirely safe if an attacker can upload a malicious archive locally or via other means, or if the vulnerability can be exploited through other attack vectors not yet disclosed. Continue monitoring the vulnerability and apply patches as soon as available. Additionally, verify that no other functionality relies on allow_url_fopen being enabled.

Can we identify if our site was already compromised by this vulnerability?

Check your WordPress user audit logs (if available via security plugins) for unexpected license meta modifications made by non-admin accounts. Scan the wp-uploads directory for newly created PHP files or archives modified around the time of suspicious user activity. Review web server access logs for POST requests to admin-ajax.php with 'save_ajax' action combined with file creation events in uploads. Conduct a thorough malware scan using tools like Wordfence or Sucuri. If signs of compromise are found, assume database access and rotate all database passwords and API credentials immediately.

Does this affect the free Advanced Google reCAPTCHA plugin?

The free and premium versions share the same plugin slug, but the vulnerability has only been confirmed in WP Captcha PRO (the premium version). However, monitor vendor advisories for any updates affecting the free version. If uncertain, contact the plugin vendor directly for clarification on your installed version.

This analysis is based on the CVE-2026-5411 advisory and publicly available information current as of the publication date. Verify all patch version numbers and availability through the official WordPress plugin repository and vendor advisory before deploying updates. CVSS scores, CWE classifications, and other technical details are sourced from the National Vulnerability Database and official CVE records. Actual risk and exploitability may vary based on your specific WordPress configuration, hosting environment, user account structure, and security controls. This guidance does not constitute legal or compliance advice. Organizations should adapt recommendations to their risk tolerance, regulatory requirements, and operational constraints. No guarantee is made regarding the completeness or accuracy of this analysis; treat it as one input among multiple risk assessment sources. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).