Arbitrary File Upload Vulnerability in WP Captcha PRO by WordPress
CVE-2026-5411

8.8HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
5 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-5411?

The WP Captcha PRO plugin, a premium version of the Advanced Google reCAPTCHA plugin, is susceptible to an arbitrary file upload vulnerability in all versions leading up to and including version 5.38. This flaw arises from inadequate capability checks within the save_ajax() function of the licensing module, coupled with a lack of file extraction validation in the sync_cloud_protection() function. Consequently, authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to upload malicious files, such as PHP web shells, via a malicious cloud_protection_url. This uploaded file can then be executed remotely, provided the server allows URL fopen in the PHP configuration, leading to potential remote code execution on the server.

Affected Version(s)

Advanced Google reCAPTCHA 0 <= 5.38

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Phú
.