Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler (admin/setting.php). The settings form does not include a wp_nonce_field() and the form processing code does not call wp_verify_nonce() or check_admin_referer() before saving settings to the database via $wpdb->update(). This makes it possible for unauthenticated attackers to modify the plugin's CAPTCHA settings (enabling or disabling CAPTCHA on login, registration, lost password, and comment forms) via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
AnalysisAI
The Kcaptcha WordPress plugin versions up to 1.0.1 fails to validate nonces on the settings page, allowing unauthenticated attackers to modify CAPTCHA configuration (enable/disable on login, registration, lost password, and comment forms) via cross-site request forgery if a site administrator can be tricked into clicking a malicious link. The vulnerability requires user interaction (administrator click) but carries a CVSS score of 4.3 with integrity impact; no public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
The Kcaptcha plugin integrates CAPTCHA functionality into WordPress sites via the admin/setting.php handler. The vulnerability stems from the absence of WordPress security nonce functions (wp_nonce_field() for form output and wp_verify_nonce() or check_admin_referer() for form processing) in the settings form. This violates CWE-352 (Cross-Site Request Forgery), a foundational web security flaw where state-changing operations lack token-based request validation. When an administrator is logged into their WordPress dashboard, an attacker can craft a forged HTTP request (typically via an HTML form on an attacker-controlled site) that modifies the plugin's configuration stored in the WordPress database via $wpdb->update() calls, since the settings handler does not validate that the request originated from the legitimate WordPress admin interface.
RemediationAI
The primary remediation is to update the Kcaptcha plugin to a patched version released after 1.0.1 that includes nonce validation (wp_nonce_field() in the form and wp_verify_nonce() or check_admin_referer() in the handler). Until a patched version is available, administrators should disable the plugin if CAPTCHA is not critical to site functionality, or apply a temporary code patch to admin/setting.php to add nonce validation manually. As a compensating control, restrict access to the WordPress admin dashboard to trusted IP addresses via .htaccess or a Web Application Firewall (WAF), which reduces the attack surface by limiting which administrators can access the vulnerable settings page. This control has minor operational impact if the organization uses stable office/VPN IP ranges but may inconvenience remote work scenarios. Monitor plugin update channels and the Wordfence advisory for patch availability; once released, apply the update immediately given the simplicity of the fix.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24664
GHSA-j4g7-gjv8-gvjh