The ZT Captcha WordPress plugin is vulnerable to a CSRF attack because the nonce validation on the save_ztcpt_captcha_settings action can be bypassed by submitting an empty token. This allows unauthenticated attackers to alter plugin settings by tricking an administrator into executing a forged request. The vulnerability affects all versions up to and including 1.0.4. The CVSS 3.1 base score is 4.3, reflecting a network attack vector, low attack complexity, no privileges required, but requiring user interaction, and impacting integrity only.

An attacker can modify the plugin's settings without authentication by exploiting the CSRF vulnerability, potentially altering security-related configurations. There is no direct confidentiality or availability impact reported. The integrity of the plugin's settings is at risk, which could lead to degraded security posture or misconfiguration.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid clicking untrusted links while logged into WordPress and consider disabling or replacing the ZT Captcha plugin to prevent unauthorized settings changes.