CVE-2026-1075 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the ZT Captcha plugin for WordPress, affecting all versions up to and including 1.0.4. The vulnerability stems from improper nonce validation on the save_ztcpt_captcha_settings action. Specifically, the nonce check can be bypassed by submitting an empty token value, allowing an attacker to craft a malicious request that modifies the plugin’s settings without authentication. The attack vector requires tricking a site administrator into performing an action such as clicking a specially crafted link, which then executes the unauthorized request. Since the nonce validation is flawed, the server accepts the forged request as legitimate, leading to unauthorized changes in plugin configuration. Although the vulnerability does not expose sensitive data or cause denial of service, it compromises the integrity of the plugin’s settings, potentially weakening site defenses or altering captcha behavior. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the lack of confidentiality or availability impact, no required privileges, but requiring user interaction. No public exploits have been reported yet. The vulnerability is significant for WordPress sites using ZT Captcha, particularly those with administrators susceptible to social engineering attacks. As the plugin is widely used for bot mitigation, unauthorized changes could degrade site security or user experience.

For European organizations, this vulnerability poses a risk primarily to the integrity of WordPress sites using the ZT Captcha plugin. An attacker exploiting this flaw can alter captcha settings, potentially disabling or weakening bot protection mechanisms. This could lead to increased spam, automated abuse, or further exploitation of the affected websites. While confidentiality and availability are not directly impacted, the integrity compromise can indirectly facilitate additional attacks or degrade trust in the affected web services. Organizations relying on WordPress for customer-facing portals, e-commerce, or internal tools may experience reputational damage or operational disruptions if attackers manipulate captcha settings to bypass security controls. The requirement for administrator interaction means targeted phishing or social engineering campaigns could be used to exploit this vulnerability. Given the widespread use of WordPress in Europe, especially in small and medium enterprises, the threat is non-trivial. However, the absence of known exploits in the wild and the medium severity score suggest the impact is moderate but should not be ignored.

1. Monitor the official ZT Captcha plugin repository and vendor communications for an official patch addressing CVE-2026-1075 and apply it promptly once available. 2. Until a patch is released, implement custom nonce validation in the plugin code to reject requests with empty or missing nonce tokens on the save_ztcpt_captcha_settings action. 3. Educate WordPress site administrators about the risks of clicking on unsolicited or suspicious links, especially those that could trigger administrative actions. 4. Employ web application firewalls (WAFs) with rules to detect and block CSRF attack patterns targeting WordPress admin endpoints. 5. Restrict administrative access to trusted networks or VPNs to reduce exposure to external CSRF attempts. 6. Regularly audit WordPress plugins and configurations to detect unauthorized changes in captcha or security settings. 7. Consider implementing multi-factor authentication (MFA) for WordPress admin accounts to reduce the risk of account compromise through social engineering.