Login No Captcha reCAPTCHA < 1.7 - IP Check Bypass
Description
The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Login No Captcha reCAPTCHA plugin before 1.7 fails to verify the correct IP address, allowing attackers to spoof IPs on the allow list and bypass the CAPTCHA on login.
Vulnerability
The Login No Captcha reCAPTCHA WordPress plugin versions before 1.7 contain an IP address check bypass vulnerability. The plugin does not verify the proper IP address when checking the allow list, allowing an attacker to spoof their IP address and bypass the requirement to solve a CAPTCHA on the login screen [1].
Exploitation
An attacker can spoof their IP address to match an entry on the plugin's IP allow list. No authentication or special privileges are required; the attack is performed remotely by manipulating the IP address in the request headers (e.g., X-Forwarded-For). The attacker then accesses the WordPress login page without being prompted for a CAPTCHA [1].
Impact
Successful exploitation allows an attacker to bypass the CAPTCHA protection on the login screen. This increases the risk of brute-force attacks against WordPress user accounts, as the attacker no longer has to solve a CAPTCHA for each login attempt [1].
Mitigation
Update the Login No Captcha reCAPTCHA plugin to version 1.7 or later, which fixes the IP address check. The vulnerability was publicly disclosed on 2022-08-22 and fixed in version 1.7 [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Login No Captcha reCAPTCHAdescription
- Range: <1.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin does not validate the true source IP address of login requests, allowing an attacker to spoof the IP header and bypass the CAPTCHA allow list."
Attack vector
An attacker can spoof their IP address by manipulating HTTP headers (such as X-Forwarded-For) to match an IP on the plugin's allow list [ref_id=1]. Because the plugin trusts the spoofed IP rather than the actual connecting IP, the reCAPTCHA challenge is skipped entirely. This allows unauthenticated attackers to perform brute-force or automated login attempts without solving a CAPTCHA [ref_id=1]. The attack requires no special privileges and can be carried out over the standard login endpoint.
Affected code
The advisory does not specify the exact file or function at fault. The vulnerable component is the IP-address check logic within the Login No Captcha reCAPTCHA plugin for WordPress, versions before 1.7 [ref_id=1].
What the fix does
The advisory states the issue is fixed in version 1.7 of the Login No Captcha reCAPTCHA plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably validates the actual remote IP address from the server's connection rather than trusting user-supplied headers. Users should update to version 1.7 or later to ensure the CAPTCHA cannot be bypassed via IP spoofing.
Preconditions
- networkAttacker must be able to send HTTP requests to the WordPress login endpoint with spoofed IP headers (e.g., X-Forwarded-For).
- configThe plugin must have an IP allow list configured that exempts certain IPs from CAPTCHA.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/5231ac18-ea9a-4bb9-af9f-e3d95a3b54f1mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.