Introduction
A missing authorization check in WP Captcha PRO's licensing module allows any WordPress user with a Subscriber account to inject a malicious URL into the plugin's configuration, triggering an unrestricted file download and extraction that places a PHP webshell directly into a web accessible uploads directory. With 200,000+ active installations of the underlying Advanced Google reCAPTCHA plugin (which shares the same slug as the premium WP Captcha PRO), this CVSS 8.8 vulnerability represents a significant remote code execution risk across a large swath of the WordPress ecosystem.
WP Captcha PRO, developed by WebFactory Ltd, is the premium version of the Advanced Google reCAPTCHA plugin. It provides CAPTCHA protection for WordPress login, registration, comment, and contact forms, integrating with Google reCAPTCHA v2/v3 and offering additional features like brute force protection and cloud based security in the PRO tier. The free version alone has over 200,000 active installations, making it one of the more widely deployed CAPTCHA solutions for WordPress.
Technical Information
Root Cause: Two Flaws, One Chain
CVE-2026-5411 is classified under CWE-434: Unrestricted Upload of File with Dangerous Type. The CVSS v3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting that the attack is network based, low complexity, requires only low privilege authentication, needs no user interaction, and achieves high impact across confidentiality, integrity, and availability.
The vulnerability is not a single missing check but rather a chain of two distinct weaknesses in the plugin's licensing and cloud protection subsystem:
Flaw 1: Missing Authorization in save_ajax()
The save_ajax() function in the plugin's licensing module handles AJAX based settings saves for the license configuration. In all versions up to and including 5.38, this function contained an insufficient (or entirely absent) capability check. WordPress capability checks are the standard mechanism for verifying whether a user has the permissions required to perform a given action. Without this check, any authenticated user, including those with the lowest default role (Subscriber), could invoke this AJAX action and write arbitrary values into the plugin's license metadata. The critical field here is cloud_protection_url, which controls where the plugin fetches its cloud protection archive.
Flaw 2: Unrestricted File Extraction in sync_cloud_protection()
The sync_cloud_protection() function is responsible for downloading a ZIP archive from whatever URL is stored in the cloud_protection_url license meta field. In vulnerable versions, this function performed no file type validation on the contents of the downloaded archive. It extracted everything directly into a web accessible WordPress uploads directory. There was no allowlist of permitted file extensions, no content type inspection, and no sanitization of filenames within the archive.
Attack Flow
An attacker exploiting CVE-2026-5411 would follow this sequence:
-
Obtain Subscriber access: Register a new account on the target WordPress site (if open registration is enabled) or use any existing authenticated account with Subscriber or higher privileges.
-
Inject malicious URL: Send an AJAX request to the
save_ajax()endpoint, setting thecloud_protection_urllicense meta field to point at an attacker controlled server. This server hosts a ZIP archive containing a PHP webshell. -
Trigger cloud protection sync: Invoke the
sync_cloud_protection()function, which reads the now poisonedcloud_protection_url, downloads the ZIP archive from the attacker's server, and extracts its contents into the web accessible uploads directory. -
Execute the webshell: Access the extracted PHP file via a direct HTTP request to the known uploads path (e.g.,
https://target.com/wp-content/uploads/[path]/shell.php). The attacker now has remote code execution on the server with the privileges of the web server process.
Configuration Dependency
A notable constraint on the remote exploitation path: the PHP configuration directive allow_url_fopen must be enabled for sync_cloud_protection() to fetch files from a remote URL. This directive allows PHP's file functions (such as file_get_contents()) to open remote URLs. It is enabled by default in many PHP configurations, making the remote exploitation path viable on a significant portion of WordPress deployments.
When allow_url_fopen is disabled, the remote fetch fails. However, this does not fully eliminate the risk. If an attacker can place a malicious archive on the local filesystem through another vector, the extraction phase would still function without restriction.
Discovery and Disclosure
The vulnerability was discovered by security researcher h0xilo and coordinated through Wordfence's vulnerability disclosure program. The CVE was published by NVD on June 5, 2026. Wordfence served as the CNA (CVE Numbering Authority) for this vulnerability.
A companion vulnerability, CVE-2026-5415 (also CVSS 8.8), was disclosed on the same day in the same plugin version. That vulnerability is an authentication bypass via temporary login link. Both flaws stem from missing authorization checks on AJAX actions available to low privileged users, pointing to a systemic gap in the plugin's access control architecture.
Patch Information
The vendor addressed CVE-2026-5411 in WP Captcha PRO version 5.39, as authoritatively confirmed by Wordfence, the CNA for this vulnerability. The Wordfence advisory explicitly states the remediation: "Update to version 5.39, or a newer patched version," with the affected range being all versions up to and including 5.38.
The fix in version 5.39 addresses both links in the exploit chain:
-
Proper capability/authorization checks were added to the
save_ajax()function, ensuring that only users with appropriate administrative privileges can modify the license meta, including thecloud_protection_urlfield. This closes the door on Subscriber level users manipulating the cloud protection configuration. -
File type validation was introduced in
sync_cloud_protection()to prevent the extraction of dangerous file types (such as.phpfiles) from downloaded archives, adding a critical second layer of defense even if the authorization check were somehow bypassed.
It is worth noting that the vendor's public changelog at getwpcaptcha.com/changelog/ has not been updated to reflect versions beyond 5.29 (dated March 2025), meaning there is no vendor published release note explicitly documenting the security fix. However, third party distribution sites confirm that version 5.39 was published around April 19, 2026, predating the public CVE disclosure on June 5, 2026. This suggests a coordinated disclosure process where the patch was silently shipped before the advisory went public.
The free version of the plugin, listed on WordPress.org as "Advanced Google reCAPTCHA," uses a separate version numbering scheme (currently at v1.35) and is not directly affected by this specific CVE, which targets the premium only licensing module code path unique to WP Captcha PRO.
Interim Mitigations
If immediate patching is not feasible, the following measures reduce exposure:
Disable the plugin entirely. This removes the vulnerable AJAX endpoint. Note that this also removes CAPTCHA protection from login, registration, and comment forms, so alternative spam protection should be deployed.
Set allow_url_fopen = Off in php.ini. This blocks the remote URL exploitation path but does not address the underlying missing authorization in save_ajax().
Restrict Subscriber account creation. Audit WordPress user accounts and restrict or remove Subscriber level accounts. Implement registration controls such as invitation only signup or email verification.
Block PHP execution in the uploads directory. For Apache, add to .htaccess in the uploads directory:
<Files *.php> deny from all </Files>
For Nginx:
location /wp-content/uploads/ { location ~ \.php$ { deny all; } }
This does not prevent file upload but neutralizes the webshell execution path.
Deploy WAF rules. The Wordfence Premium, Care, and Response firewall includes a virtual patch for this vulnerability. Custom WAF rules can also block the vulnerable AJAX action for non administrative users.
Affected Systems and Versions
- WP Captcha PRO: All versions up to and including 5.38. The first patched version is 5.39.
- Plugin slug:
advanced-google-recaptcha(shared between the free Advanced Google reCAPTCHA and the premium WP Captcha PRO). - WordPress requirement: 4.9 or higher.
- PHP requirement: 5.2 or higher.
- Configuration dependency: Remote exploitation requires
allow_url_fopento be enabled inphp.ini(enabled by default in many PHP installations). - Authentication requirement: Any authenticated WordPress user with Subscriber level access or above.
The free version of Advanced Google reCAPTCHA (currently at v1.35 on WordPress.org) is not directly affected by this specific CVE, as the vulnerable code path exists within the premium only licensing module. However, both versions share the same plugin slug, so organizations should verify which version is deployed across their WordPress fleet.
Vendor Security History
WebFactory Ltd has a documented pattern of security issues in the Advanced Google reCAPTCHA / WP Captcha PRO plugin family. CVE-2026-5411 is the fifth vulnerability disclosed in this plugin:
| CVE ID | Vulnerability | CVSS | Affected Version | Severity |
|---|---|---|---|---|
| CVE-2026-5411 | Missing Authorization to Arbitrary File Upload | 8.8 | WP Captcha PRO <=5.38 | High |
| CVE-2026-5415 | Authentication Bypass via Temporary Login Link | 8.8 | WP Captcha PRO <=5.38 | High |
| CVE-2025-2074 | Limited SQL Injection via sSearch Parameter | 5.3 | Free <=1.29 | Medium |
| CVE-2025-1262 | Built in Math CAPTCHA Bypass | 5.3 | Free <=1.27 | Medium |
| CVE-2024-12034 | Brute Force Protection IP Unblock | 5.3 | Free <=1.25 | Medium |
The trajectory here is notable. The three earlier vulnerabilities were all medium severity (5.3) and affected the free version. The two most recent disclosures are both high severity (8.8) and affect the premium version, indicating that the PRO codebase, which introduces licensing and cloud protection features, has received less rigorous security review than the free version despite being a paid product.
The free version's changelog documents multiple security related updates: version 1.30 (March 2025) included security fixes, version 1.28 (February 2025) improved math CAPTCHA security, and versions 1.23, 1.22, and 1.17 also included security patches. The plugin's FAQ directs security researchers to the Patchstack Vulnerability Disclosure Program, though CVE-2026-5411 was disclosed through Wordfence instead.
Threat Intelligence Context
As of June 5, 2026, no evidence of active exploitation of CVE-2026-5411 has been identified. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog.
However, the broader threat landscape provides important context for urgency assessment:
- CVE-2026-8732 in WP Maps Pro, a closely analogous WordPress plugin vulnerability that allowed attackers to create admin accounts, was actively exploited with 2,858 attacks within 24 hours of disclosure (reported June 1, 2026).
- The ShadowCaptcha campaign (August 2025) specifically targeted WordPress sites using CAPTCHA related functionality, exploiting over 100 sites to spread ransomware, steal data, and mine cryptocurrency.
- VulnCheck's research found that 25 CVEs disclosed in 2026 have already been routinely targeted by adversaries and researchers.
Given the CVSS 8.8 score, the low authentication barrier, and the direct RCE outcome, CVE-2026-5411 fits the profile of vulnerabilities that transition from disclosure to mass exploitation within days. The absence of current wild exploitation likely reflects the hours old status of the disclosure rather than any inherent difficulty in weaponization.
References
- NVD: CVE-2026-5411
- Wordfence Advisory: WP Captcha PRO <= 5.38 Missing Authorization to Arbitrary File Upload
- CVE Feed: CVE-2026-5411
- WP Captcha PRO Official Site
- WP Captcha PRO Changelog
- Advanced Google reCAPTCHA on WordPress.org
- Wordfence: Advanced Google reCAPTCHA Vulnerability History
- WebFactory Ltd WordPress Profile
- The Hacker News: Critical WP Maps Pro Flaw Actively Exploited
- VulnCheck: Quantifying 2026 Routinely Targeted Vulnerabilities
- ShadowCaptcha Campaign Hijacks 100+ WordPress Sites
- CISA Known Exploited Vulnerabilities Catalog



