Plattform
wordpress
Komponente
mtcaptcha
Behoben in
2.7.3
CVE-2025-13520 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the MTCaptcha WordPress plugin. This flaw allows unauthenticated attackers to manipulate plugin settings through forged requests, potentially gaining control over sensitive configurations. The vulnerability impacts versions from 0.0.0 through 2.7.2, and a patch is available in version 2.7.3.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the MTCaptcha plugin's settings. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by an administrator, would trigger a request to update the plugin's configuration. Crucially, this includes the private key used for captcha verification. Compromising this key could allow an attacker to bypass captcha protection and potentially gain unauthorized access to protected areas of the website. The blast radius extends to any website utilizing the MTCaptcha plugin with vulnerable versions, as a single compromised site could be used to target other administrators.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, suggesting a lower probability of immediate widespread exploitation. However, the ease of exploiting CSRF vulnerabilities means it remains a potential risk. The NVD was published on 2026-01-07.
Websites utilizing the MTCaptcha WordPress plugin, particularly those with shared hosting environments where multiple administrators may have access. Legacy systems running older WordPress installations are also at increased risk, as they may not be regularly updated with the latest security patches.
• wordpress / composer / npm:
grep -r 'MTCaptcha/includes/settings.php' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep MTCaptcha• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress plugin directory for version 2.7.3 or higher.
disclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The most effective mitigation is to immediately upgrade the MTCaptcha WordPress plugin to version 2.7.3 or later, which addresses the nonce validation issue. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the plugin's settings update endpoint that lack proper authentication. Additionally, educate administrators about the risks of clicking on suspicious links or visiting untrusted websites. Regularly review plugin settings for any unauthorized changes. After upgrade, confirm by accessing the plugin settings page and verifying that the private key remains unchanged.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability eingehend und setzen Sie Mitigationen basierend auf der Risikobereitschaft Ihrer Organisation ein. Es kann am besten sein, die betroffene Software zu deinstallieren und einen Ersatz zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13520 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the MTCaptcha WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if you are using the MTCaptcha WordPress plugin versions 0.0.0 through 2.7.2. Upgrade to 2.7.3 or later to mitigate the risk.
Upgrade the MTCaptcha WordPress plugin to version 2.7.3 or later. Consider implementing a WAF rule as a temporary workaround.
While no active exploitation has been confirmed, the ease of exploiting CSRF vulnerabilities means it remains a potential risk.
Refer to the plugin developer's website or WordPress plugin directory for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.