HIGH 8.8

CVE-2026-5415: WP Captcha PRO Authentication Bypass — Full Account Takeover Risk

WP Captcha PRO, a WordPress plugin used for reCAPTCHA integration, contains a critical flaw that allows attackers with basic user access to impersonate any account on the site, including administrators. The vulnerability chains together three separate weaknesses: the plugin exposes a security token to low-privilege users, uses that token in an unprotected function that generates passwordless login links, and then automatically logs in visitors using those links without verifying they should have access. An attacker with even Subscriber-level access (the lowest user role) can exploit this to take over any account and gain full control of the WordPress installation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-288
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajax_run_tool() AJAX handler relying solely on a nonce check (check_ajax_referer) for security without performing any capability check, combined with the create_temporary_link tool allowing the generation of passwordless login links for arbitrary users, and the handle_temporary_links() function authenticating visitors via these links without any additional authorization validation. The required nonce is exposed to all authenticated backend users (including Subscribers) via wp_localize_script() on all non-settings admin pages when the plugin's welcome pointer has not been dismissed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass normal authentication and log in as any user, including Administrators, resulting in complete account takeover.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-5415 is an authentication bypass vulnerability in WP Captcha PRO versions up to 5.38. The root cause is a multi-layered security failure in the ajax_run_tool() AJAX handler. First, the handler relies exclusively on a nonce check (check_ajax_referer) without verifying user capabilities. Second, the create_temporary_link tool, exposed through this handler, generates passwordless login tokens for arbitrary users without authorization validation. Third, the handle_temporary_links() function authenticates incoming requests based on these tokens alone, performing no secondary authorization checks. Additionally, the required nonce is leaked to all authenticated backend users—including Subscribers—via wp_localize_script() injection on non-settings admin pages when the plugin's welcome pointer remains undismissed. This combination allows low-privilege attackers to generate and use passwordless links for any user account.

Business impact

Complete compromise of WordPress site integrity and confidentiality. An attacker gaining administrator access through this vulnerability can modify site content, steal sensitive data, inject malware, modify user accounts, access customer information, and establish persistent backdoors. For sites handling customer data, payments, or sensitive information, this represents a data breach scenario. The attack requires only Subscriber-level access, which is often granted to clients, partners, or service providers, dramatically expanding the attack surface. Remediation delay increases risk of active exploitation and post-compromise persistence.

Affected systems

WP Captcha PRO (premium version of Advanced Google reCAPTCHA plugin) in all versions through 5.38 is vulnerable. The plugin shares the same slug as its free counterpart. Any WordPress installation with this plugin installed and activated, which has at least one user account with Subscriber role or higher, is at risk. The vulnerability is particularly dangerous on multi-user sites where Subscribers, Contributors, Authors, or Editors are common user types.

Exploitability

Exploitability is high. The attack requires only Subscriber-level access—the most basic WordPress user role—and no user interaction. An attacker needs to identify the nonce value, which is automatically exposed in the DOM of non-settings admin pages as long as the plugin's welcome pointer notification has not been dismissed (a common scenario). Once the nonce is obtained, generating a passwordless link and leveraging it for account takeover is trivial and can be automated. The CVSS score of 8.8 (HIGH) reflects network accessibility, low attack complexity, low privilege requirements, and no user interaction needed.

Remediation

Update WP Captcha PRO to a patched version that implements proper capability checks on the ajax_run_tool() handler and adds authorization validation when authenticating temporary login links. Verify the specific patch version against the vendor's official security advisory. As an interim measure, restrict Subscriber role access if not operationally necessary, and ensure the plugin's welcome pointer is dismissed to reduce nonce exposure. Monitor admin activity and user login patterns for signs of unauthorized account access.

Patch guidance

Apply the latest security update for WP Captcha PRO as published by the vendor. Verify the update version number and release notes against the official plugin repository or vendor advisory to confirm the authentication bypass has been addressed. Test the update in a staging environment before production deployment to ensure compatibility with other plugins and customizations. After patching, confirm that capability checks are now enforced on AJAX handlers and that temporary login link generation includes proper authorization validation. Review user roles and remove unnecessary Subscriber accounts to reduce attack surface.

Detection guidance

Monitor WordPress admin activity logs for suspicious AJAX requests to the ajax_run_tool handler, particularly those using the create_temporary_link action. Inspect wp-admin access logs for non-admin users triggering AJAX endpoints unexpectedly. Review user login history for administrator accounts being accessed from unusual IP addresses or during off-hours, which may indicate unauthorized passwordless link usage. Check for recent additions of temporary login links in the plugin's database tables if audit logging is available. Enable WordPress security logging plugins that track capability escalation attempts and AJAX activity. Watch for scenarios where low-privilege users suddenly perform administrator-level actions.

Why prioritize this

This vulnerability should be prioritized for immediate patching due to its combination of high exploitability, severe impact, and low barrier to entry. The requirement for only Subscriber access—commonly granted in multi-user environments—makes this practical to exploit at scale. The complete account takeover capability, including admin access, means a successful exploit results in full site compromise with potential for data theft, malware injection, and persistent backdoor installation. The CVSS 8.8 score and HIGH severity rating underscore the urgency. Any delay in remediation increases the window for active exploitation.

Risk score, explained

CVSS 3.1 score of 8.8 reflects: Attack Vector Network (N) — exploitable remotely over the network; Attack Complexity Low (L) — no special conditions required; Privileges Required Low (L) — only Subscriber role needed; User Interaction None (N) — no clicking or victim action required; Scope Unchanged (U) — impact limited to the vulnerable component; Confidentiality High (H) — unauthorized access to all user accounts; Integrity High (H) — ability to modify any content or user data; Availability High (H) — potential to disable accounts or lock out legitimate users. This places the vulnerability in the HIGH severity category, warranting urgent remediation.

Frequently asked questions

Can this vulnerability be exploited without any WordPress user account?

No. The attacker must have at least Subscriber-level access to WordPress. However, Subscriber is the lowest user role and is often granted to clients, partners, or service providers. If your site grants Subscriber access to anyone outside your immediate team, the risk surface is significant.

Does updating to the latest plugin version automatically fix the vulnerability?

Only if you update to a version that includes the security patch. Check the vendor's official security advisory or plugin changelog to confirm the specific version that addresses this authentication bypass. Never assume the latest version is patched; verify against official sources.

Are there risks to removing the plugin entirely instead of patching?

Removing the plugin eliminates the vulnerability but may break reCAPTCHA functionality on your site. If you rely on the plugin for bot protection, research alternative solutions before removal. If you do remove it, clean up any database entries or configuration the plugin left behind, and test that your forms still function correctly.

How can I tell if my site has been compromised by this vulnerability?

Review your WordPress user accounts for unexpected administrators or users, check login logs for unusual access patterns, audit recent posts and pages for unauthorized modifications, and examine your database for unfamiliar plugin installations or backdoor code. Consider performing a full security scan with a reputable WordPress security tool. If you suspect compromise, consult a WordPress security specialist.

This analysis is provided for informational purposes to assist security teams in vulnerability assessment and remediation planning. The information herein is based on the disclosed CVE details and vendor guidance available as of the publication date. Security teams should verify all patch versions, update procedures, and compatibility requirements directly with the official vendor advisory and plugin repository before applying updates in production environments. This advisory does not constitute legal advice, warranty, or guarantee of patched security. Organizations should conduct their own risk assessment based on their specific infrastructure, user configurations, and operational requirements. Always test patches in a staging environment prior to production deployment. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).