CVE-2026-1075 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the ZT Captcha plugin for WordPress, affecting all versions up to and including 1.0.4. The vulnerability stems from improper nonce validation in the save_ztcpt_captcha_settings action, where the nonce token can be bypassed by submitting an empty value. Nonces in WordPress are security tokens designed to prevent CSRF by ensuring that requests originate from legitimate users. Here, the nonce check is flawed, allowing an attacker to craft a malicious request that, when executed by an authenticated administrator (e.g., by clicking a link), modifies the plugin's settings without authorization. This attack vector requires no authentication on the attacker’s part but does require user interaction from a privileged user. The impact is limited to integrity, as attackers can alter plugin configurations, potentially weakening site defenses or enabling further attacks. The vulnerability does not affect confidentiality or availability. The CVSS v3.1 score is 4.3, reflecting a medium severity due to the ease of exploitation and limited impact scope. No public exploits have been reported yet. The vulnerability highlights the importance of robust nonce validation in WordPress plugins to prevent CSRF attacks.

The primary impact of this vulnerability is the unauthorized modification of the ZT Captcha plugin settings by an attacker without authentication, contingent on tricking an administrator into performing an action. This can degrade the security posture of the affected WordPress site by potentially disabling or weakening CAPTCHA protections, which could facilitate automated attacks such as spam submissions or brute force login attempts. While confidentiality and availability are not directly impacted, the integrity of the plugin’s configuration is compromised, which may indirectly lead to further exploitation or increased attack surface. Organizations relying on this plugin for bot mitigation or user verification may experience increased risk of abuse. The medium severity rating reflects that while exploitation is feasible, it requires social engineering and only affects plugin settings rather than core site data or availability.

1. Immediately update the ZT Captcha plugin to a patched version once released by the vendor that properly validates nonce tokens. 2. Until a patch is available, restrict administrative access to trusted personnel and enforce the principle of least privilege to minimize exposure. 3. Educate administrators about the risks of clicking on unsolicited or suspicious links, especially when logged into WordPress admin interfaces. 4. Implement web application firewalls (WAFs) with rules to detect and block CSRF attack patterns targeting the plugin’s endpoints. 5. Monitor plugin settings and logs for unauthorized changes to detect potential exploitation attempts early. 6. Consider disabling or replacing the ZT Captcha plugin with alternative CAPTCHA solutions that follow secure coding practices if immediate patching is not feasible. 7. Regularly audit WordPress plugins for security updates and vulnerabilities to maintain a secure environment.