ZeroPath at Black Hat USA 2026

WP Captcha PRO CVE-2026-5411: Brief Summary of Arbitrary File Upload to Remote Code Execution via Licensing Module

A brief summary of CVE-2026-5411, a CVSS 8.8 arbitrary file upload vulnerability in WP Captcha PRO that allows Subscriber level users to upload PHP webshells through the plugin's licensing module. Patch information and vendor history are included.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-05

WP Captcha PRO CVE-2026-5411: Brief Summary of Arbitrary File Upload to Remote Code Execution via Licensing Module
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing authorization check in WP Captcha PRO's licensing module allows any WordPress user with a Subscriber account to inject a malicious URL into the plugin's configuration, triggering an unrestricted file download and extraction that places a PHP webshell directly into a web accessible uploads directory. With 200,000+ active installations of the underlying Advanced Google reCAPTCHA plugin (which shares the same slug as the premium WP Captcha PRO), this CVSS 8.8 vulnerability represents a significant remote code execution risk across a large swath of the WordPress ecosystem.

WP Captcha PRO, developed by WebFactory Ltd, is the premium version of the Advanced Google reCAPTCHA plugin. It provides CAPTCHA protection for WordPress login, registration, comment, and contact forms, integrating with Google reCAPTCHA v2/v3 and offering additional features like brute force protection and cloud based security in the PRO tier. The free version alone has over 200,000 active installations, making it one of the more widely deployed CAPTCHA solutions for WordPress.

Technical Information

Root Cause: Two Flaws, One Chain

CVE-2026-5411 is classified under CWE-434: Unrestricted Upload of File with Dangerous Type. The CVSS v3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting that the attack is network based, low complexity, requires only low privilege authentication, needs no user interaction, and achieves high impact across confidentiality, integrity, and availability.

The vulnerability is not a single missing check but rather a chain of two distinct weaknesses in the plugin's licensing and cloud protection subsystem:

Flaw 1: Missing Authorization in save_ajax()

The save_ajax() function in the plugin's licensing module handles AJAX based settings saves for the license configuration. In all versions up to and including 5.38, this function contained an insufficient (or entirely absent) capability check. WordPress capability checks are the standard mechanism for verifying whether a user has the permissions required to perform a given action. Without this check, any authenticated user, including those with the lowest default role (Subscriber), could invoke this AJAX action and write arbitrary values into the plugin's license metadata. The critical field here is cloud_protection_url, which controls where the plugin fetches its cloud protection archive.

Flaw 2: Unrestricted File Extraction in sync_cloud_protection()

The sync_cloud_protection() function is responsible for downloading a ZIP archive from whatever URL is stored in the cloud_protection_url license meta field. In vulnerable versions, this function performed no file type validation on the contents of the downloaded archive. It extracted everything directly into a web accessible WordPress uploads directory. There was no allowlist of permitted file extensions, no content type inspection, and no sanitization of filenames within the archive.

Attack Flow

An attacker exploiting CVE-2026-5411 would follow this sequence:

  1. Obtain Subscriber access: Register a new account on the target WordPress site (if open registration is enabled) or use any existing authenticated account with Subscriber or higher privileges.

  2. Inject malicious URL: Send an AJAX request to the save_ajax() endpoint, setting the cloud_protection_url license meta field to point at an attacker controlled server. This server hosts a ZIP archive containing a PHP webshell.

  3. Trigger cloud protection sync: Invoke the sync_cloud_protection() function, which reads the now poisoned cloud_protection_url, downloads the ZIP archive from the attacker's server, and extracts its contents into the web accessible uploads directory.

  4. Execute the webshell: Access the extracted PHP file via a direct HTTP request to the known uploads path (e.g., https://target.com/wp-content/uploads/[path]/shell.php). The attacker now has remote code execution on the server with the privileges of the web server process.

Configuration Dependency

A notable constraint on the remote exploitation path: the PHP configuration directive allow_url_fopen must be enabled for sync_cloud_protection() to fetch files from a remote URL. This directive allows PHP's file functions (such as file_get_contents()) to open remote URLs. It is enabled by default in many PHP configurations, making the remote exploitation path viable on a significant portion of WordPress deployments.

When allow_url_fopen is disabled, the remote fetch fails. However, this does not fully eliminate the risk. If an attacker can place a malicious archive on the local filesystem through another vector, the extraction phase would still function without restriction.

Discovery and Disclosure

The vulnerability was discovered by security researcher h0xilo and coordinated through Wordfence's vulnerability disclosure program. The CVE was published by NVD on June 5, 2026. Wordfence served as the CNA (CVE Numbering Authority) for this vulnerability.

A companion vulnerability, CVE-2026-5415 (also CVSS 8.8), was disclosed on the same day in the same plugin version. That vulnerability is an authentication bypass via temporary login link. Both flaws stem from missing authorization checks on AJAX actions available to low privileged users, pointing to a systemic gap in the plugin's access control architecture.

Patch Information

The vendor addressed CVE-2026-5411 in WP Captcha PRO version 5.39, as authoritatively confirmed by Wordfence, the CNA for this vulnerability. The Wordfence advisory explicitly states the remediation: "Update to version 5.39, or a newer patched version," with the affected range being all versions up to and including 5.38.

The fix in version 5.39 addresses both links in the exploit chain:

  • Proper capability/authorization checks were added to the save_ajax() function, ensuring that only users with appropriate administrative privileges can modify the license meta, including the cloud_protection_url field. This closes the door on Subscriber level users manipulating the cloud protection configuration.

  • File type validation was introduced in sync_cloud_protection() to prevent the extraction of dangerous file types (such as .php files) from downloaded archives, adding a critical second layer of defense even if the authorization check were somehow bypassed.

It is worth noting that the vendor's public changelog at getwpcaptcha.com/changelog/ has not been updated to reflect versions beyond 5.29 (dated March 2025), meaning there is no vendor published release note explicitly documenting the security fix. However, third party distribution sites confirm that version 5.39 was published around April 19, 2026, predating the public CVE disclosure on June 5, 2026. This suggests a coordinated disclosure process where the patch was silently shipped before the advisory went public.

The free version of the plugin, listed on WordPress.org as "Advanced Google reCAPTCHA," uses a separate version numbering scheme (currently at v1.35) and is not directly affected by this specific CVE, which targets the premium only licensing module code path unique to WP Captcha PRO.

Interim Mitigations

If immediate patching is not feasible, the following measures reduce exposure:

Disable the plugin entirely. This removes the vulnerable AJAX endpoint. Note that this also removes CAPTCHA protection from login, registration, and comment forms, so alternative spam protection should be deployed.

Set allow_url_fopen = Off in php.ini. This blocks the remote URL exploitation path but does not address the underlying missing authorization in save_ajax().

Restrict Subscriber account creation. Audit WordPress user accounts and restrict or remove Subscriber level accounts. Implement registration controls such as invitation only signup or email verification.

Block PHP execution in the uploads directory. For Apache, add to .htaccess in the uploads directory:

<Files *.php> deny from all </Files>

For Nginx:

location /wp-content/uploads/ { location ~ \.php$ { deny all; } }

This does not prevent file upload but neutralizes the webshell execution path.

Deploy WAF rules. The Wordfence Premium, Care, and Response firewall includes a virtual patch for this vulnerability. Custom WAF rules can also block the vulnerable AJAX action for non administrative users.

Affected Systems and Versions

  • WP Captcha PRO: All versions up to and including 5.38. The first patched version is 5.39.
  • Plugin slug: advanced-google-recaptcha (shared between the free Advanced Google reCAPTCHA and the premium WP Captcha PRO).
  • WordPress requirement: 4.9 or higher.
  • PHP requirement: 5.2 or higher.
  • Configuration dependency: Remote exploitation requires allow_url_fopen to be enabled in php.ini (enabled by default in many PHP installations).
  • Authentication requirement: Any authenticated WordPress user with Subscriber level access or above.

The free version of Advanced Google reCAPTCHA (currently at v1.35 on WordPress.org) is not directly affected by this specific CVE, as the vulnerable code path exists within the premium only licensing module. However, both versions share the same plugin slug, so organizations should verify which version is deployed across their WordPress fleet.

Vendor Security History

WebFactory Ltd has a documented pattern of security issues in the Advanced Google reCAPTCHA / WP Captcha PRO plugin family. CVE-2026-5411 is the fifth vulnerability disclosed in this plugin:

CVE IDVulnerabilityCVSSAffected VersionSeverity
CVE-2026-5411Missing Authorization to Arbitrary File Upload8.8WP Captcha PRO <=5.38High
CVE-2026-5415Authentication Bypass via Temporary Login Link8.8WP Captcha PRO <=5.38High
CVE-2025-2074Limited SQL Injection via sSearch Parameter5.3Free <=1.29Medium
CVE-2025-1262Built in Math CAPTCHA Bypass5.3Free <=1.27Medium
CVE-2024-12034Brute Force Protection IP Unblock5.3Free <=1.25Medium

The trajectory here is notable. The three earlier vulnerabilities were all medium severity (5.3) and affected the free version. The two most recent disclosures are both high severity (8.8) and affect the premium version, indicating that the PRO codebase, which introduces licensing and cloud protection features, has received less rigorous security review than the free version despite being a paid product.

The free version's changelog documents multiple security related updates: version 1.30 (March 2025) included security fixes, version 1.28 (February 2025) improved math CAPTCHA security, and versions 1.23, 1.22, and 1.17 also included security patches. The plugin's FAQ directs security researchers to the Patchstack Vulnerability Disclosure Program, though CVE-2026-5411 was disclosed through Wordfence instead.

Threat Intelligence Context

As of June 5, 2026, no evidence of active exploitation of CVE-2026-5411 has been identified. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog.

However, the broader threat landscape provides important context for urgency assessment:

Given the CVSS 8.8 score, the low authentication barrier, and the direct RCE outcome, CVE-2026-5411 fits the profile of vulnerabilities that transition from disclosure to mass exploitation within days. The absence of current wild exploitation likely reflects the hours old status of the disclosure rather than any inherent difficulty in weaponization.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization