CVE-2026-5415: WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajax_run_tool() AJAX handler relying solely on a nonce check (check_ajax_referer) for security without performing any capability check, combined with the create_temporary_link tool allowing the generation of passwordless login links for arbitrary users, and the handle_temporary_links() function authenticating visitors via these links without any additional authorization validation. The required nonce is exposed to all authenticated backend users (including Subscribers) via wp_localize_script() on all non-settings admin pages when the plugin's welcome pointer has not been dismissed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass normal authentication and log in as any user, including Administrators, resulting in complete account takeover.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Authentication bypass in WP Captcha PRO (Advanced Google reCAPTCHA plugin for WordPress) versions up to and including 5.38 allows a low-privilege attacker to generate a passwordless login link for any WordPress user, including administrators. The vulnerability is reachable over the network and requires only a subscriber-level account; the nonce needed to trigger the flawed AJAX handler is leaked to all authenticated backend users on non-settings admin pages. Successful exploitation gives the attacker full control of any targeted account, including administrative accounts, resulting in complete site takeover. No fix version has been published; HarborGuard is tracking the advisory for patch availability.
HarborGuard Coverage
Detection of CVE-2026-5415 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Wordfence advisory feed, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the affected plugin. Any image containing the webfactory Advanced Google reCAPTCHA plugin at version 5.38 or below is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 8.8 (HIGH) and weights that score against each customer environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules for WordPress-based workloads.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the Wordfence advisory and upstream plugin repository on every ingest cycle. The moment a patched release is available, a rebuilt image at the fix version becomes available on HarborGuard, and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads automatically.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable AJAX handler is exposed over the network via the WordPress HTTP endpoint, so the attacker must be able to reach the target WordPress installation over the internet or internal network.
- AuthenticationRequired
A valid WordPress account at subscriber level or above is required; any low-privilege account that can access the admin backend is sufficient to obtain the exposed nonce and trigger the AJAX handler.
- Victim interactionNot required
No victim action is needed; the attacker independently calls the AJAX handler and generates the passwordless login link without any user interaction.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and condition-free once the attacker holds a subscriber-level session and the plugin's welcome pointer has not been dismissed on the target site.
Blast Radius
- Attacker generates a passwordless login link for any WordPress user, including site administrators, and authenticates as that user without knowing their password.
- Full administrative access to the WordPress dashboard allows the attacker to read all stored content, user data, and credentials held in the site's database.
- With admin access, the attacker can install or modify plugins and themes, injecting arbitrary code into the site's PHP execution context.
- The attacker can create, modify, or delete posts, pages, users, and site configuration, causing persistent data tampering or full site defacement.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists for CVE-2026-5415 at this time, HarborGuard continuously monitors the Wordfence advisory and the webfactory plugin repository on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is published. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls available to consider include network-policy rules that restrict wp-admin and wp-ajax.php access to known trusted IP ranges, egress filtering to prevent the WordPress application tier from initiating outbound authentication flows, and feature-flag or plugin-deactivation mechanisms that disable the Advanced Google reCAPTCHA plugin entirely until a patch ships. Customers should also audit subscriber-level accounts in affected WordPress instances to reduce the pool of principals that could exploit the exposed nonce.
- webfactory / Advanced Google reCAPTCHA≤ 5.38
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H