CVE-2026-5411: CWE-434 Unrestricted Upload of File with Dangerous Type in webfactory Advanced Google reCAPTCHA
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 5.38. This is due to a capability check in the save_ajax() function of the licensing module, combined with unrestricted file extraction in sync_cloud_protection(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files including PHP webshells to the server by injecting a malicious cloud_protection_url into the license meta, which the plugin then downloads and extracts without file type validation into a web-accessible uploads directory. This can be used for remote code execution. Note: The vulnerability can only be exploited with a remote URL if "allow_url_fopen" is enabled in the php.ini config.
AI Analysis
Technical Summary
The vulnerability arises from a capability check flaw in the save_ajax() licensing function and unrestricted file extraction in sync_cloud_protection(). An attacker with at least Subscriber privileges can inject a malicious cloud_protection_url into the license metadata. The plugin downloads and extracts files from this URL without validating file types, placing potentially dangerous files into a web-accessible uploads directory. Exploitation requires allow_url_fopen to be enabled in PHP. This vulnerability is tracked as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has a CVSS 3.1 score of 8.8, indicating high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows remote code execution on the affected server, compromising confidentiality, integrity, and availability of the WordPress site. Attackers can upload and execute arbitrary PHP code, potentially leading to full system compromise. The vulnerability requires authenticated access at Subscriber level or higher and PHP configuration that permits remote file access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level user capabilities if possible and consider disabling allow_url_fopen in PHP configuration to mitigate remote file download exploitation. Monitor vendor channels for updates and apply patches promptly once released.
CVE-2026-5411: CWE-434 Unrestricted Upload of File with Dangerous Type in webfactory Advanced Google reCAPTCHA
Description
The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 5.38. This is due to a capability check in the save_ajax() function of the licensing module, combined with unrestricted file extraction in sync_cloud_protection(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files including PHP webshells to the server by injecting a malicious cloud_protection_url into the license meta, which the plugin then downloads and extracts without file type validation into a web-accessible uploads directory. This can be used for remote code execution. Note: The vulnerability can only be exploited with a remote URL if "allow_url_fopen" is enabled in the php.ini config.
CVSS v3.1
Score 8.8high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from a capability check flaw in the save_ajax() licensing function and unrestricted file extraction in sync_cloud_protection(). An attacker with at least Subscriber privileges can inject a malicious cloud_protection_url into the license metadata. The plugin downloads and extracts files from this URL without validating file types, placing potentially dangerous files into a web-accessible uploads directory. Exploitation requires allow_url_fopen to be enabled in PHP. This vulnerability is tracked as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has a CVSS 3.1 score of 8.8, indicating high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows remote code execution on the affected server, compromising confidentiality, integrity, and availability of the WordPress site. Attackers can upload and execute arbitrary PHP code, potentially leading to full system compromise. The vulnerability requires authenticated access at Subscriber level or higher and PHP configuration that permits remote file access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level user capabilities if possible and consider disabling allow_url_fopen in PHP configuration to mitigate remote file download exploitation. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-02T07:07:02.783Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a231d8ee29bf47b50a9841b
Added to database: 6/5/2026, 7:03:42 PM
Last enriched: 6/5/2026, 7:18:32 PM
Last updated: 6/5/2026, 8:05:16 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.