CVE-2024-12034: CWE-340 Generation of Predictable Numbers or Identifiers in webfactory Advanced Google reCAPTCHA
The Advanced Google reCAPTCHA plugin for WordPress is vulnerable to IP unblocking in all versions up to, and including, 1.25. This is due to the plugin not utilizing a strong unique key when generating an unblock request. This makes it possible for unauthenticated attackers to unblock their IP after being locked out due to too many bad password attempts
AI Analysis
Technical Summary
CVE-2024-12034 describes a vulnerability in the webfactory Advanced Google reCAPTCHA WordPress plugin (versions up to 1.25) where the plugin does not use a strong unique key in generating unblock requests. This flaw enables unauthenticated attackers to unblock their IP addresses after being locked out due to too many failed password attempts, effectively bypassing the intended security control. The issue is categorized under CWE-340 (Generation of Predictable Numbers or Identifiers).
Potential Impact
An attacker can circumvent the IP lockout mechanism designed to prevent brute force password attempts by exploiting predictable unblock request identifiers. This could lead to repeated unauthorized login attempts from the same IP address, potentially increasing the risk of password guessing attacks. There is no direct confidentiality or availability impact reported, and no known exploits in the wild have been identified.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are currently available. Users should monitor the vendor's advisory for updates and apply any official patches once released. Until a fix is available, consider implementing additional protective measures such as external rate limiting or multi-factor authentication to mitigate brute force risks.
CVE-2024-12034: CWE-340 Generation of Predictable Numbers or Identifiers in webfactory Advanced Google reCAPTCHA
Description
The Advanced Google reCAPTCHA plugin for WordPress is vulnerable to IP unblocking in all versions up to, and including, 1.25. This is due to the plugin not utilizing a strong unique key when generating an unblock request. This makes it possible for unauthenticated attackers to unblock their IP after being locked out due to too many bad password attempts
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-12034 describes a vulnerability in the webfactory Advanced Google reCAPTCHA WordPress plugin (versions up to 1.25) where the plugin does not use a strong unique key in generating unblock requests. This flaw enables unauthenticated attackers to unblock their IP addresses after being locked out due to too many failed password attempts, effectively bypassing the intended security control. The issue is categorized under CWE-340 (Generation of Predictable Numbers or Identifiers).
Potential Impact
An attacker can circumvent the IP lockout mechanism designed to prevent brute force password attempts by exploiting predictable unblock request identifiers. This could lead to repeated unauthorized login attempts from the same IP address, potentially increasing the risk of password guessing attacks. There is no direct confidentiality or availability impact reported, and no known exploits in the wild have been identified.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are currently available. Users should monitor the vendor's advisory for updates and apply any official patches once released. Until a fix is available, consider implementing additional protective measures such as external rate limiting or multi-factor authentication to mitigate brute force risks.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-02T16:32:30.112Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e2bb7ef31ef0b5971ba
Added to database: 2/25/2026, 9:48:27 PM
Last enriched: 4/9/2026, 7:19:32 PM
Last updated: 4/12/2026, 2:58:57 AM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.