ZeroPath at Black Hat USA 2026

WP Captcha PRO CVE-2026-5415: Quick Look at a Three-Step Authentication Bypass Affecting 200,000+ WordPress Sites

A brief summary of CVE-2026-5415, a CVSS 8.8 authentication bypass in WP Captcha PRO that chains a missing capability check, nonce leakage, and passwordless login link generation to enable full account takeover from a Subscriber role. Patch information and mitigation strategies are included.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-05

WP Captcha PRO CVE-2026-5415: Quick Look at a Three-Step Authentication Bypass Affecting 200,000+ WordPress Sites
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A security plugin designed to protect WordPress login forms just introduced a way to bypass authentication entirely. CVE-2026-5415 is an authentication bypass in WP Captcha PRO, the premium version of the Advanced Google reCAPTCHA plugin, that allows any user with a Subscriber account to generate a passwordless login link for any other user on the site, including Administrators.

WP Captcha PRO, developed by WebFactory Ltd, is the premium tier of the Advanced Google reCAPTCHA plugin, which reports over 200,000 active installations on WordPress.org. The plugin provides CAPTCHA integration for WordPress login, registration, and comment forms, supporting multiple CAPTCHA types including Google reCAPTCHA v2. Both the free and premium versions share the same WordPress plugin slug (advanced-google-recaptcha), meaning they share code paths and potentially vulnerable components. The irony of a CAPTCHA and login security plugin introducing an authentication bypass is not lost on us.

Technical Information

Root Cause Analysis

CVE-2026-5415 is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and carries a CVSS 3.1 base score of 8.8 High with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The scoring reflects a network exploitable vulnerability requiring only low privileges (Subscriber role), no user interaction, and resulting in high impact across confidentiality, integrity, and availability. This score was assigned by Wordfence; the NVD has listed the analysis status as "Not Scheduled" due to resource constraints and has not yet provided an independent assessment.

The vulnerability is not a single bug but a chain of three distinct design weaknesses that, when combined, produce a complete authentication bypass:

1. Missing Capability Check in ajax_run_tool()

The ajax_run_tool() AJAX handler uses check_ajax_referer() as its sole security gate. This function verifies a WordPress nonce, which is a mechanism designed to prevent Cross-Site Request Forgery (CSRF). Critically, nonce verification is not an authorization mechanism. WordPress nonces confirm that a request originated from a legitimate page load within a recent time window; they do not verify that the requesting user has the appropriate role or capabilities to perform the requested action. The handler performs no current_user_can() check, meaning any authenticated user who possesses a valid nonce can invoke any tool the handler exposes, regardless of whether they are a Subscriber or an Administrator.

2. Nonce Exposure via wp_localize_script()

The nonce required to call ajax_run_tool() is embedded in JavaScript output via wp_localize_script(). This exposure occurs on all non-settings admin pages whenever the plugin's welcome pointer has not been dismissed. Since the welcome pointer is a one-time dismissible UI element that many administrators may never interact with, the nonce remains broadly accessible. Any authenticated user who can access /wp-admin/, including Subscribers (the lowest WordPress role), receives the nonce in the page's JavaScript payload.

3. Passwordless Temporary Login Link Generation Without Authorization

The create_temporary_link tool, accessible through the unprotected ajax_run_tool() handler, generates passwordless login links for arbitrary user accounts. The handle_temporary_links() function then processes incoming requests using these links and authenticates the visitor without performing any additional authorization validation. There is no check to confirm that the temporary link was generated by an authorized user, no expiration enforcement beyond the link's existence, and no restriction on which target accounts can receive temporary links.

Attack Flow

A realistic exploitation scenario proceeds through the following steps:

  1. Obtain Subscriber Access: The attacker registers a Subscriber account on the target WordPress site (if open registration is enabled) or compromises an existing low-privilege account.

  2. Extract the Nonce: The attacker logs into the WordPress dashboard and navigates to any non-settings admin page (such as /wp-admin/index.php). If the plugin's welcome pointer has not been dismissed, the page's JavaScript includes the AJAX nonce embedded via wp_localize_script(). The attacker extracts this nonce from the page source or browser developer tools.

  3. Generate a Temporary Login Link: Using the extracted nonce, the attacker crafts an AJAX request to ajax_run_tool(), specifying the create_temporary_link tool and providing the target user ID. For most WordPress installations, user ID 1 corresponds to the initial Administrator account. The handler validates the nonce via check_ajax_referer(), which succeeds, and generates a passwordless login URL for the specified user.

  4. Authenticate as the Target User: The attacker accesses the generated temporary login URL. The handle_temporary_links() function processes the request and authenticates the attacker as the target user without requiring a password or any further validation.

  5. Complete Account Takeover: The attacker now has full Administrator access to the WordPress site, enabling arbitrary plugin installation, theme modification, user management, database access, and any other action available to the Administrator role.

Why This Matters

Several characteristics make this vulnerability particularly concerning:

  • Minimal Privilege Requirement: Subscriber is the lowest WordPress role, often available through open registration.
  • No User Interaction: The victim does not need to click a link, visit a page, or take any action.
  • Low Complexity: The attack requires only standard WordPress AJAX interaction; no specialized tools or deep technical knowledge are needed.
  • Full Impact: The attacker gains complete Administrator privileges, which in WordPress means unrestricted control over the site, its database, and its file system.

The CVSS vector confirms this assessment: Attack Vector is Network, Attack Complexity is Low, Privileges Required is Low, and User Interaction is None, with High impact across all three CIA triad dimensions.

Patch Information

WebFactory Ltd released a patch in WP Captcha PRO version 5.39. The Wordfence advisory, published on June 5, 2026, explicitly marks the vulnerability as "Patched: Yes" and designates version 5.39 as the remediation target.

The patch addresses the three interlocking flaws that enabled the authentication bypass:

Capability Check Addition: Version 5.39 is expected to enforce a proper current_user_can() capability check (e.g., requiring manage_options or an equivalent administrator-level capability) in the ajax_run_tool() handler before executing privileged tool actions. This is the core fix: even if a low-privilege user possesses a valid nonce, they will be denied access to sensitive tools like create_temporary_link.

Restricted Temporary Link Generation: The patch restricts access to the create_temporary_link tool so that only users with appropriate privileges can generate temporary login links. This prevents Subscribers from crafting links that grant them Administrator sessions.

Authorization in handle_temporary_links(): Version 5.39 is expected to introduce additional authorization checks in the handle_temporary_links() function, adding validation to ensure that temporary login requests originated from a legitimately authorized workflow.

Nonce Exposure Scope: While the core fix is the addition of capability checks, the patch may also limit the scope of nonce exposure via wp_localize_script() to only the pages and roles where it is necessary, reducing the attack surface even further.

Because WP Captcha PRO is a premium (closed-source) plugin distributed through getwpcaptcha.com, no public code diff or commit history is available. Administrators should update to version 5.39 or later through their plugin dashboard or the vendor's distribution channel.

Interim Mitigations

For environments where immediate patching is not possible, the following measures reduce exposure:

MitigationEffectivenessNotes
Update to version 5.39CompleteAddresses root cause
Dismiss the welcome pointerPartialBlocks nonce exposure path
Restrict Subscriber dashboard accessPartialPrevents nonce extraction
Wordfence Premium/Care/Response firewall ruleProtectiveBlocks exploit traffic
Disable open user registrationPreventiveLimits attacker access to Subscriber accounts
Monitor AJAX calls to ajax_run_toolDetectiveAlerts on exploitation attempts

Dismissing the plugin's welcome pointer removes the nonce exposure condition, breaking one link in the exploit chain. Restricting Subscriber-level users from accessing /wp-admin/ prevents them from reaching the pages where the nonce is embedded. Wordfence Premium, Care, and Response users received a firewall rule providing protection against exploits targeting this vulnerability; the free Wordfence tier does not include this rule.

None of these interim measures are a substitute for patching. The update to version 5.39 is the only complete remediation.

Affected Systems and Versions

  • WP Captcha PRO: All versions up to and including 5.38
  • Advanced Google reCAPTCHA (free version): Shares the same plugin slug (advanced-google-recaptcha) and may share affected code paths; both free and premium installations should be verified
  • Patched Version: 5.39
  • WordPress Role Requirement: Subscriber or above (any authenticated user with dashboard access)
  • Conditional Exposure: The nonce is only exposed when the plugin's welcome pointer has not been dismissed; sites where the pointer has been dismissed have a reduced (but not eliminated) attack surface

The free version on WordPress.org reports 200,000+ active installations. The premium version's installation count is not publicly disclosed but shares the same codebase.

Vendor Security History

WebFactory Ltd's Advanced Google reCAPTCHA and WP Captcha PRO plugins have a documented history of security vulnerabilities:

CVE / VulnerabilityAffected VersionsSeverityDescription
CVE-2026-5415WP Captcha PRO <= 5.388.8 HighAuthentication Bypass via Temporary Login Link
Arbitrary File UploadWP Captcha PRO <= 5.38Not yet scoredMissing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
CVE-2025-1262Advanced Google reCAPTCHA <= 1.275.0 MediumGuessable CAPTCHA bypass
IP Unblock VulnerabilityAdvanced Google reCAPTCHA <= 1.25Not yet scoredBrute Force Protection IP Unblock

The simultaneous discovery of two high-impact vulnerabilities in WP Captcha PRO version 5.38, both stemming from missing authorization and capability checks, points to a systemic pattern rather than an isolated coding error. The ajax_run_tool() handler's reliance on nonce-only security appears to be a recurring design flaw in the plugin's AJAX architecture. Organizations using this plugin should evaluate whether the plugin's security posture aligns with their risk tolerance, particularly given that a security-focused plugin introducing authentication bypass vulnerabilities represents a significant trust concern.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization