CVE-2026-5411

Vulnerability

The WP Captcha PRO plugin for WordPress, in all versions up to and including 5.38, suffers from an arbitrary file upload vulnerability. This is caused by an insufficient capability check in the save_ajax() function within the licensing module, combined with unrestricted file extraction in sync_cloud_protection(). The vulnerability is present when the allow_url_fopen directive is enabled in php.ini [1].

Exploitation

An attacker with at least Subscriber-level access can exploit this vulnerability. The attacker needs to inject a malicious cloud_protection_url into the license meta. The plugin then downloads and extracts the content from this URL without proper file type validation into a web-accessible directory, which can be leveraged to upload a PHP webshell [1].

Impact

Successful exploitation allows an attacker to upload arbitrary files, including PHP webshells, to the server. This can lead to remote code execution with the privileges of the web server process [1].

Mitigation

WP Captcha PRO versions up to and including 5.38 are affected. A patched version is available. Users are advised to update to the latest version of the plugin. No workarounds are disclosed in the available references [1].