CVE-2026-4121

Name of the Vulnerable Software and Affected Versions Kcaptcha versions prior to 1.0.2

Description The Kcaptcha plugin for WordPress is subject to Cross-Site Request Forgery. The issue exists in the settings page handler 'admin/setting.php' because it lacks nonce validation. Specifically, the settings form does not implement a wp nonce field() and the processing code fails to utilize wp verify nonce() or check admin referer() before updating the database via $wpdb->update(). This allows unauthenticated attackers to modify CAPTCHA settings for login, registration, lost password, and comment forms by tricking a site administrator into clicking a malicious link.

Recommendations Update to a version newer than 1.0.1.