CVE-2026-1075

Name of the Vulnerable Software and Affected Versions ZT Captcha plugin for WordPress versions through 1.0.4

Description The software is susceptible to Cross-Site Request Forgery due to improper nonce validation on the save ztcpt captcha settings action. An empty token value can bypass the nonce check, allowing unauthenticated attackers to modify the plugin’s settings via a forged request if they can trick a site administrator into performing an action, such as clicking a link.

Recommendations Update the ZT Captcha plugin to version 1.0.5 or later.