How is CVE-2026-5411 exploited?

Network reachability (required): The vulnerable save_ajax() endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via HTTP or HTTPS. Authentication (required): A valid WordPress account at Subscriber level or above is sufficient; no administrative or elevated role is needed. Victim interaction (not-required): The attacker interacts directly with the plugin endpoint; no user action or social engineering is required. Attack complexity (info): The exploit is reliable and condition-free under standard CVSS scoring, though the remote URL injection path does require allow_url_fopen to be enabled in php.ini on the target server.

What is the impact of CVE-2026-5411?

The attacker uploads a PHP webshell to a web-accessible uploads directory and executes arbitrary operating system commands on the server. Full read access to all data the web server process can reach, including WordPress database credentials, environment variables, and stored user data. Full write access to the filesystem paths accessible to the web server, enabling modification or deletion of application files and persisted content. The attacker can use the compromised server as a pivot point for lateral movement or further attacks within the same network segment.

Back to search

HIGHCVE-2026-5411Published 2026-06-05Modified 2026-06-05CNA Wordfence

CVE-2026-5411: WP Captcha PRO <= 5.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload

Q: What is CVE-2026-5411?

Missing authorization combined with unrestricted file extraction in WP Captcha PRO (also distributed as Advanced Google reCAPTCHA) for WordPress allows an authenticated attacker with Subscriber-level access to upload arbitrary files, including PHP webshells, to the server. The vulnerability is reachable over the network and requires no elevated privileges beyond a basic WordPress account. Successful exploitation gives the attacker remote code execution on the host. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-5411 patched?

No fix version has been published upstream; HarborGuard re-checks the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available immediately when an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger automatically at that point.

The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 5.38. This is due to a capability check in the save_ajax() function of the licensing module, combined with unrestricted file extraction in sync_cloud_protection(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files including PHP webshells to the server by injecting a malicious cloud_protection_url into the license meta, which the plugin then downloads and extracts without file type validation into a web-accessible uploads directory. This can be used for remote code execution. Note: The vulnerability can only be exploited with a remote URL if "allow_url_fopen" is enabled in the php.ini config.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Missing authorization combined with unrestricted file extraction in WP Captcha PRO (also distributed as Advanced Google reCAPTCHA) for WordPress allows an authenticated attacker with Subscriber-level access to upload arbitrary files, including PHP webshells, to the server. The vulnerability is reachable over the network and requires no elevated privileges beyond a basic WordPress account. Successful exploitation gives the attacker remote code execution on the host. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-5411 is ingested from upstream advisory feeds (including Wordfence) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the affected plugin. No manual configuration is required for the match to run.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 HIGH (v3.1) and weights it against each environment's compliance policy to assign priority and route it to the appropriate team inbox. Environments with stricter policies for network-exploitable, low-privilege RCE paths will surface this at the top of their queue automatically.

Available

Patch

No fix version has been published upstream; HarborGuard re-checks the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available immediately when an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable save_ajax() endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via HTTP or HTTPS.
AuthenticationRequired
A valid WordPress account at Subscriber level or above is sufficient; no administrative or elevated role is needed.
Victim interactionNot required
The attacker interacts directly with the plugin endpoint; no user action or social engineering is required.
Attack complexityDetail
The exploit is reliable and condition-free under standard CVSS scoring, though the remote URL injection path does require allow_url_fopen to be enabled in php.ini on the target server.

Blast Radius

The attacker uploads a PHP webshell to a web-accessible uploads directory and executes arbitrary operating system commands on the server.
Full read access to all data the web server process can reach, including WordPress database credentials, environment variables, and stored user data.
Full write access to the filesystem paths accessible to the web server, enabling modification or deletion of application files and persisted content.
The attacker can use the compromised server as a pivot point for lateral movement or further attacks within the same network segment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-5411 is active across all customer environments scanning WordPress-based images, including images that bundle the Advanced Google reCAPTCHA or WP Captcha PRO plugin at versions up to and including 5.38. Because no upstream fix exists yet, HarborGuard monitors the Wordfence advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is published; for customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will open automatically without manual intervention. In the meantime, compensating controls worth considering include network-policy isolation that restricts outbound HTTP from the WordPress container (which blocks the allow_url_fopen-dependent injection path), egress filtering on the uploads directory, and disabling allow_url_fopen in the container's php.ini if it is not required by other application functionality.

See how HarborGuard automates this

Affected packages

webfactory / Advanced Google reCAPTCHA
≤ 5.38

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified