The Advanced Google reCAPTCHA plugin for WordPress, developed by webfactory, suffers from a vulnerability identified as CVE-2024-12034, categorized under CWE-340 (Generation of Predictable Numbers or Identifiers). This vulnerability affects all plugin versions up to and including 1.25. The core issue lies in the plugin's mechanism for generating unblock requests after an IP address has been locked out due to multiple failed login attempts. Instead of using a strong, unique key or token to validate unblock requests, the plugin uses predictable or weak identifiers. This design flaw enables unauthenticated attackers to craft unblock requests that the system accepts, effectively allowing them to remove their IP address from the blocklist without authorization. The vulnerability is remotely exploitable without requiring any authentication or user interaction, increasing its risk profile. However, the impact is limited to integrity, as attackers can bypass IP lockout controls but cannot directly access or alter sensitive data or disrupt service availability. No known exploits have been reported in the wild to date, but the vulnerability presents a clear risk of facilitating brute force or credential stuffing attacks by allowing attackers to repeatedly attempt logins without being blocked. The CVSS v3.1 base score is 5.3 (medium), reflecting the ease of exploitation and limited impact scope. The vulnerability highlights the importance of using cryptographically strong, unpredictable tokens for security-critical operations such as unblock requests in authentication-related plugins.

This vulnerability primarily impacts the integrity of the login protection mechanism in WordPress sites using the affected Advanced Google reCAPTCHA plugin. By allowing attackers to bypass IP lockouts, it increases the risk of successful brute force or credential stuffing attacks, potentially leading to unauthorized access if weak or reused credentials are present. While it does not directly compromise confidentiality or availability, the indirect risk of account compromise can lead to data breaches, privilege escalation, or further exploitation within the affected environment. Organizations relying on this plugin for login security may experience increased attack surface and reduced effectiveness of their brute force mitigation controls. The vulnerability could also lead to increased administrative overhead due to repeated attack attempts and potential account lockouts. Since WordPress powers a significant portion of the web, the scale of affected systems is large, especially for websites that do not promptly update or patch their plugins. The absence of authentication or user interaction requirements makes exploitation straightforward for remote attackers, increasing the likelihood of exploitation attempts once details become widely known.

1. Apply official patches or updates from webfactory as soon as they are released to address the predictable key generation issue. 2. Until a patch is available, consider disabling the Advanced Google reCAPTCHA plugin or replacing it with alternative, well-maintained CAPTCHA or login protection solutions that use strong cryptographic tokens for unblock requests. 3. Implement additional layers of brute force protection such as rate limiting, multi-factor authentication (MFA), and IP reputation filtering at the web server or firewall level. 4. Monitor login attempts and IP block/unblock events closely to detect suspicious activity indicative of exploitation attempts. 5. Review and harden WordPress security configurations, including limiting login attempts and enforcing strong password policies. 6. Educate site administrators about the risks of using outdated plugins and the importance of timely updates. 7. If feasible, conduct code reviews or penetration testing focused on authentication and access control mechanisms to identify similar weaknesses.