📄 Description (English)
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajax_run_tool() AJAX handler relying solely on a nonce check (check_ajax_referer) for security without performing any capability check, combined with the create_temporary_link tool allowing the generation of passwordless login links for arbitrary users, and the handle_temporary_links() function authenticating visitors via these links without any additional authorization validation. The required nonce is exposed to all authenticated backend users (including Subscribers) via wp_localize_script() on all non-settings admin pages when the plugin's welcome pointer has not been dismissed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass normal authentication and log in as any user, including Administrators, resulting in complete account takeover.
🤖 AI Executive Summary
WP Captcha PRO plugin contains a critical authentication bypass vulnerability (CVE-2026-5415) affecting all versions up to 5.38. Authenticated users with Subscriber-level access can exploit exposed nonces to generate passwordless login links for arbitrary users, including administrators, leading to complete account takeover. This vulnerability is particularly severe for WordPress installations in Saudi organizations as it requires minimal attacker privileges and no patch is currently available.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 10, 2026 00:29
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using WordPress, particularly: (1) Government agencies and NCA-regulated entities hosting public-facing WordPress sites for citizen services; (2) Banking and financial institutions using WordPress for customer portals or informational sites; (3) ARAMCO and energy sector companies with WordPress-based internal or external communications platforms; (4) Healthcare providers using WordPress for patient information systems; (5) Telecommunications companies (STC, Mobily, Zain) with WordPress-based customer service portals. The vulnerability enables complete compromise of WordPress administrator accounts, potentially leading to data breaches, malware injection, and regulatory violations under NCA ECC 2024 and SAMA CSF requirements.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Energy and Utilities (ARAMCO)
Healthcare and Medical Services
Telecommunications (STC, Mobily, Zain)
E-commerce and Retail
Education and Universities
Media and Publishing
🎯 MITRE ATT&CK Techniques
T1078 - Valid Accounts (using compromised admin accounts)
T1078.001 - Default Accounts (privilege escalation to admin)
T1110 - Brute Force (passwordless link generation)
T1190 - Exploit Public-Facing Application (AJAX handler exploitation)
T1548 - Abuse Elevation Control Mechanism (nonce bypass)
T1556 - Modify Authentication Process (authentication bypass)
T1098 - Account Manipulation (unauthorized account creation/modification)
T1087 - Account Discovery (enumerating users for takeover)
T1021.003 - Remote Services: SSH (if backdoor installed post-compromise)
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Disable the WP Captcha PRO plugin immediately via WordPress admin panel or via FTP/SSH if admin access is compromised
2. Audit all user accounts for unauthorized access, particularly administrator accounts created after plugin installation
3. Review WordPress login logs and audit trails for suspicious passwordless login attempts
4. Force password reset for all administrator and high-privilege accounts
5. Check for unauthorized plugins, themes, or backdoors installed by attackers
DETECTION:
6. Monitor wp-admin/admin-ajax.php requests with action=ajax_run_tool parameter
7. Alert on create_temporary_link tool invocations from non-admin users
8. Monitor handle_temporary_links() function calls and temporary link generation
9. Review wp_localize_script() output for exposed nonce values in admin pages
COMPENSATING CONTROLS (until patch available):
10. Implement Web Application Firewall (WAF) rules to block AJAX requests to ajax_run_tool from non-administrator users
11. Restrict WordPress admin access to specific IP ranges via .htaccess or firewall
12. Implement two-factor authentication (2FA) for all WordPress user accounts
13. Use security plugins (Wordfence, Sucuri) to monitor and block suspicious AJAX activity
14. Implement database activity monitoring for user table modifications
15. Consider removing the plugin entirely if not critical to operations
LONG-TERM:
16. Monitor plugin repository for security updates and patch immediately upon release
17. Implement WordPress security hardening per SAMA CSF and NCA ECC guidelines
18. Conduct security code review of any custom AJAX handlers in other plugins
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تعطيل مكون WP Captcha PRO فوراً عبر لوحة تحكم WordPress أو عبر FTP/SSH إذا تم اختراق الوصول الإداري
2. تدقيق جميع حسابات المستخدمين للوصول غير المصرح به، خاصة حسابات المسؤول التي تم إنشاؤها بعد تثبيت المكون
3. مراجعة سجلات تسجيل الدخول إلى WordPress وسجلات التدقيق للمحاولات المريبة لتسجيل الدخول بدون كلمة مرور
4. فرض إعادة تعيين كلمة المرور لجميع حسابات المسؤول والحسابات ذات الامتيازات العالية
5. التحقق من المكونات الإضافية غير المصرح بها والمواضيع أو الأبواب الخلفية المثبتة من قبل المهاجمين
الكشف:
6. مراقبة طلبات wp-admin/admin-ajax.php مع معامل action=ajax_run_tool
7. التنبيه على استدعاءات أداة create_temporary_link من المستخدمين غير الإداريين
8. مراقبة استدعاءات دالة handle_temporary_links() وإنشاء الروابط المؤقتة
9. مراجعة مخرجات wp_localize_script() للقيم المكشوفة للرموز في الصفحات الإدارية
الضوابط البديلة (حتى توفر التصحيح):
10. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر طلبات AJAX إلى ajax_run_tool من المستخدمين غير الإداريين
11. تقييد وصول WordPress الإداري إلى نطاقات IP محددة عبر .htaccess أو جدار الحماية
12. تنفيذ المصادقة متعددة العوامل (2FA) لجميع حسابات مستخدمي WordPress
13. استخدام مكونات الأمان (Wordfence, Sucuri) لمراقبة وحظر نشاط AJAX المريب
14. تنفيذ مراقبة نشاط قاعدة البيانات لتعديلات جدول المستخدم
15. النظر في إزالة المكون بالكامل إذا لم يكن حرجاً للعمليات
المدى الطويل:
16. مراقبة مستودع المكونات للتحديثات الأمنية والتصحيح الفوري عند الإصدار
17. تنفيذ تقسية أمان WordPress وفقاً لإرشادات SAMA CSF و NCA ECC
18. إجراء مراجعة أمان الكود لأي معالجات AJAX مخصصة في مكونات أخرى
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Access Control Policy (authentication bypass violates access control)
A.5.2.1 - User Registration and Access Rights Management (unauthorized privilege escalation)
A.5.3.1 - Password Management (passwordless login links bypass password controls)
A.6.1.2 - Information Security Incident Management (breach notification requirements)
A.8.2.1 - User Access Management (unauthorized account takeover)
A.8.2.3 - Management of Privileged Access Rights (admin account compromise)
🔵 SAMA CSF
ID.AM-1 - Asset Management (inventory of WordPress installations)
PR.AC-1 - Access Control Policy (authentication and authorization)
PR.AC-4 - Access Rights Management (privilege escalation prevention)
PR.PT-1 - Security Architecture (secure design principles violated)
DE.AE-1 - Anomalies and Events Detection (unauthorized login detection)
RS.AN-1 - Incident Analysis (breach investigation and response)
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security (access control policy)
A.6.1.1 - Information security roles and responsibilities
A.8.1.1 - User endpoint devices (WordPress admin access)
A.8.2.1 - User registration and access rights (unauthorized access)
A.8.2.3 - Management of privileged access rights (admin account compromise)
A.8.3.1 - Password management (passwordless authentication bypass)
A.9.2.1 - User access management (access control violations)
A.12.4.1 - Event logging (audit trail requirements)
🟣 PCI DSS v4.0.1
Requirement 2.1 - Change default passwords (admin account compromise)
Requirement 6.2 - Security patches and updates (unpatched vulnerability)
Requirement 7 - Restrict access to data (unauthorized privilege escalation)
Requirement 8.1 - User identification and authentication (authentication bypass)
Requirement 8.2 - Secure authentication methods (passwordless links)
Requirement 10.2 - Implement automated audit trails (login monitoring)