CVE-2026-5415

Vulnerability

The WP Captcha PRO plugin for WordPress, in all versions up to and including 5.38, contains an authentication bypass vulnerability. This is due to the ajax_run_tool() AJAX handler's reliance solely on a nonce check without a capability check, allowing the create_temporary_link tool to generate passwordless login links for any user. The handle_temporary_links() function then authenticates users via these links without further validation. The necessary nonce is exposed to authenticated backend users with Subscriber-level access or higher via wp_localize_script() on non-settings admin pages when the plugin's welcome pointer is active [1].

Exploitation

An authenticated attacker with Subscriber-level access or higher can exploit this vulnerability. The attacker needs to be logged into the WordPress backend. They can then trigger the create_temporary_link tool to generate a passwordless login link for an arbitrary user, including administrators. Subsequently, the attacker uses this link to log in as the target user without needing their password [1].

Impact

Successful exploitation of this vulnerability allows an attacker to bypass normal authentication mechanisms and log in as any user on the WordPress site, including administrators. This leads to a complete account takeover, granting the attacker full control over the website and its data.

Mitigation

The vulnerability is fixed in WP Captcha PRO version 5.39. Users are strongly advised to update to the patched version as soon as possible. No workarounds are available for versions prior to 5.39.