{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4121", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T13:31:45.845Z", "datePublished": "2026-04-22T07:45:40.047Z", "dateUpdated": "2026-04-22T07:45:40.047Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:40.047Z"}, "affected": [{"vendor": "ksolves", "product": "Kcaptcha", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler (admin/setting.php). The settings form does not include a wp_nonce_field() and the form processing code does not call wp_verify_nonce() or check_admin_referer() before saving settings to the database via $wpdb->update(). This makes it possible for unauthenticated attackers to modify the plugin's CAPTCHA settings (enabling or disabling CAPTCHA on login, registration, lost password, and comment forms) via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}], "title": "Kcaptcha <= 1.0.1 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6c1c73b-76e3-4cb9-ad53-9d5d4e7519c9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L12"}, {"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L12"}, {"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L30"}, {"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L47"}, {"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L47"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Afnaan"}], "timeline": [{"time": "2026-04-21T19:07:38.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler (admin/setting.php). The settings form does not include a wp_nonce_field() and the form processing code does not call wp_verify_nonce() or check_admin_referer() before saving settings to the database via $wpdb->update(). This makes it possible for unauthenticated attackers to modify the plugin's CAPTCHA settings (enabling or disabling CAPTCHA on login, registration, lost password, and comment forms) via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."}], "id": "CVE-2026-4121", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:23.490", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L12"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L30"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L47"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L12"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L30"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L47"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6c1c73b-76e3-4cb9-ad53-9d5d4e7519c9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Kcaptcha", "source": "cna", "vendor": "ksolves"}, "product": "kcaptcha", "vendor": "ksolves"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T09:23:44.861077+00:00", "value": {"mitigation_remediation": ["Upgrade Kcaptcha to the newest version (>=1.0.2) where nonce validation is implemented.", "If you maintain a custom fork, add wp_nonce_field() to the settings form and call wp_verify_nonce() or check_admin_referer() before updating the database.", "Restrict access to the settings page so only users with the 'manage_options' capability can load or submit the form, for example by adding a capability check at the top of admin/setting.php.", "As a temporary workaround, if an upgrade is not possible, manually set the CAPTCHA options to their desired defaults in the database and apply a file\u2011watcher to detect unauthorized changes."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011Site Request Forgery (CSRF) allowing attackers to change Kcaptcha settings"}, "threat_synthesis": {"affected_systems": "ksolves Kcaptcha WordPress plugin, all versions up to and including 1.0.1. The issue resides in the admin/setting.php handler, which is used by site administrators to manage CAPTCHA options.", "description_and_impact": "The Kcaptcha plugin fails to validate a nonce on its settings page, enabling unauthenticated attackers to submit forged requests that alter the plugin\u2019s configuration. The attacker can disable CAPTCHA on login, registration, password reset, and comment forms, effectively removing a layer of defense against brute\u2011force and spam attacks. The vulnerability does not provide direct code execution but gives attackers indirect influence over site authentication and commenting workflows, potentially increasing the risk of credential stuffing, automated account creation, or comment flooding.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a moderate severity; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires social engineering of a site administrator to submit a crafted HTTP request to the settings endpoint. Because no nonce or capability checks are performed, any attacker who can trick an admin into clicking a link can change the CAPTCHA settings, potentially disabling security controls and paving the way for automated attacks."}}}}, "created": "2026-04-22T09:30:13.553279+00:00", "updated": "2026-04-22T11:43:57.662348+00:00", "vendors": ["ksolves", "ksolves$PRODUCT$kcaptcha", "wordpress", "wordpress$PRODUCT$wordpress"]}