CVE-2026-5411
Arbitrary File Upload in WP Captcha PRO WordPress Plugin
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_captcha_pro | wp_captcha_pro | to 5.38 (inc) |
| webfactory_ltd | wp_captcha_pro | to 5.38 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Captcha PRO plugin for WordPress, up to version 5.38, has a vulnerability that allows authenticated users with Subscriber-level access or higher to upload arbitrary files to the server.
This happens because the plugin's licensing module has a flawed capability check in the save_ajax() function combined with unrestricted file extraction in the sync_cloud_protection() function.
Attackers can inject a malicious URL into the license metadata, which the plugin then downloads and extracts without validating the file type, placing files such as PHP webshells into a web-accessible uploads directory.
This vulnerability can lead to remote code execution if the PHP configuration allows remote URL file access (i.e., if "allow_url_fopen" is enabled).
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on your WordPress server.
An attacker with low-level authenticated access can upload malicious files such as PHP webshells, which can be used to take control of the website, steal data, modify content, or launch further attacks.
This compromises the security and integrity of your website and server, potentially leading to data breaches, defacement, or service disruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves arbitrary file upload via the WP Captcha PRO plugin's licensing module, specifically through injection of a malicious cloud_protection_url that the plugin downloads and extracts without validation.
To detect exploitation attempts or presence of this vulnerability on your system, you can look for unusual files, especially PHP webshells, in the web-accessible uploads directory used by the plugin.
You may also check for suspicious entries in the license meta related to cloud_protection_url.
- Search for recently modified or created PHP files in the uploads directory, for example using: find /path/to/wp-content/uploads/ -name '*.php' -mtime -7
- Check the WordPress database for suspicious license meta entries containing cloud_protection_url values.
- Review web server logs for unusual requests or uploads targeting the plugin's AJAX save function.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WP Captcha PRO plugin to a version later than 5.38 where this vulnerability is fixed.
If an update is not immediately possible, consider disabling or removing the WP Captcha PRO plugin to prevent exploitation.
Additionally, disable the PHP configuration option allow_url_fopen if it is enabled, as the vulnerability requires this setting to exploit remote URLs.
Review and remove any suspicious files uploaded to the web-accessible uploads directory.
Audit user roles and restrict Subscriber-level access if possible, since the vulnerability can be exploited by authenticated users with Subscriber-level access and above.