Platform
wordpress
Component
mtcaptcha
Fixed in
2.7.3
CVE-2025-13520 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the MTCaptcha WordPress plugin. This flaw allows unauthenticated attackers to manipulate plugin settings through forged requests, potentially gaining control over sensitive configurations. The vulnerability impacts versions from 0.0.0 through 2.7.2, and a patch is available in version 2.7.3.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the MTCaptcha plugin's settings. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by an administrator, would trigger a request to update the plugin's configuration. Crucially, this includes the private key used for captcha verification. Compromising this key could allow an attacker to bypass captcha protection and potentially gain unauthorized access to protected areas of the website. The blast radius extends to any website utilizing the MTCaptcha plugin with vulnerable versions, as a single compromised site could be used to target other administrators.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, suggesting a lower probability of immediate widespread exploitation. However, the ease of exploiting CSRF vulnerabilities means it remains a potential risk. The NVD was published on 2026-01-07.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation is to immediately upgrade the MTCaptcha WordPress plugin to version 2.7.3 or later, which addresses the nonce validation issue. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the plugin's settings update endpoint that lack proper authentication. Additionally, educate administrators about the risks of clicking on suspicious links or visiting untrusted websites. Regularly review plugin settings for any unauthorized changes. After upgrade, confirm by accessing the plugin settings page and verifying that the private key remains unchanged.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13520 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the MTCaptcha WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if you are using the MTCaptcha WordPress plugin versions 0.0.0 through 2.7.2. Upgrade to 2.7.3 or later to mitigate the risk.
Upgrade the MTCaptcha WordPress plugin to version 2.7.3 or later. Consider implementing a WAF rule as a temporary workaround.
While no active exploitation has been confirmed, the ease of exploiting CSRF vulnerabilities means it remains a potential risk.
Refer to the plugin developer's website or WordPress plugin directory for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.