Platform
wordpress
Component
kcaptcha
Opgelost in
1.0.2
CVE-2026-4121 describes a Cross-Site Request Forgery (XSRF) vulnerability discovered in the Kcaptcha plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's CAPTCHA settings, potentially disabling CAPTCHA protection on critical login, registration, and comment forms. The vulnerability affects versions 1.0.0 through 1.0.1 and a fix is pending.
Successful exploitation of CVE-2026-4121 could have significant consequences for WordPress websites using the Kcaptcha plugin. An attacker could disable CAPTCHA on login pages, enabling brute-force attacks and account takeover. Disabling CAPTCHA on registration forms could allow attackers to create numerous fake accounts for spam or malicious purposes. Similarly, disabling CAPTCHA on comment forms could lead to comment spam and potential injection of malicious scripts. The blast radius extends to any user interacting with these forms, as their actions could be manipulated without their knowledge. This vulnerability shares similarities with other XSRF vulnerabilities where lack of proper input validation allows unauthorized modifications.
CVE-2026-4121 was published on 2026-04-22. Its current EPSS score is pending evaluation. No public Proof-of-Concept (POC) exploits have been identified at the time of writing, but the ease of exploitation inherent in XSRF vulnerabilities suggests it could become a target for automated attacks. Monitor security advisories and WordPress vulnerability databases for updates.
Exploit Status
EPSS
0.01% (0% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-4121 is to upgrade to a patched version of the Kcaptcha plugin as soon as it becomes available. Until a patch is released, implement temporary workarounds. A Web Application Firewall (WAF) can be configured to filter requests to the admin/setting.php endpoint, specifically looking for requests without proper nonce validation. Consider adding a custom security plugin that enforces nonce validation on the settings form. Regularly review WordPress plugin settings for any unexpected changes. After applying a potential fix, verify the CAPTCHA settings are properly protected by attempting to submit a request without a valid nonce.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-4121 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Kcaptcha WordPress plugin versions 1.0.0–1.0.1. It allows attackers to modify CAPTCHA settings due to missing nonce validation, potentially disabling CAPTCHA protection.
If you are using the Kcaptcha WordPress plugin in versions 1.0.0 or 1.0.1, you are potentially affected by this vulnerability. Check your plugin versions and apply the recommended mitigations.
The recommended fix is to upgrade to a patched version of the Kcaptcha plugin as soon as it's available. Until then, implement WAF rules or a custom security plugin to enforce nonce validation.
While no public exploits have been identified, the ease of exploitation suggests it could become a target. Monitor security advisories and WordPress vulnerability databases for updates.
Refer to the WordPress plugin repository and the Kcaptcha plugin developer's website for official advisories and updates related to CVE-2026-4121.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.