CVE-2026-1075 in ZT Captcha Plugin
Summary
by MITRE • 01/24/2026
The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/25/2026
The ZT Captcha plugin for WordPress presents a critical cross-site request forgery vulnerability that affects all versions up to and including 1.0.4. This vulnerability stems from insufficient validation of nonce tokens within the plugin's administrative interface, specifically during the save_ztcpt_captcha_settings action. The flaw allows attackers to manipulate the plugin's configuration settings without proper authentication, creating a significant security risk for WordPress installations that rely on this captcha solution for protecting their sites from automated attacks.
The technical implementation of this vulnerability lies in the plugin's failure to properly validate nonce tokens when processing administrative requests. Nonce validation is a fundamental security mechanism designed to prevent unauthorized modifications to plugin settings by ensuring that requests originate from legitimate administrative sessions. In this case, the plugin accepts empty token values as valid, effectively bypassing the intended security controls. This weakness directly aligns with CWE-352, which describes cross-site request forgery vulnerabilities where insufficient validation of request authenticity allows attackers to perform unauthorized actions on behalf of authenticated users.
The operational impact of this vulnerability is substantial as it enables unauthenticated attackers to modify critical plugin settings that could compromise the entire security posture of a WordPress installation. An attacker could potentially disable the captcha functionality, change configuration parameters that affect how the plugin handles user authentication, or redirect captcha validation to malicious endpoints. This vulnerability particularly affects WordPress administrators who may be tricked into clicking malicious links or visiting compromised websites that trigger the forged requests, making it a prime target for social engineering attacks that leverage the trust relationship between administrators and legitimate site functionality.
The security implications extend beyond simple configuration changes as this vulnerability creates a persistent attack vector that could be exploited repeatedly until patched. Attackers could manipulate the captcha settings to weaken the site's protection mechanisms, potentially allowing for automated attacks such as spam posting, brute force login attempts, or other malicious activities that the captcha was originally designed to prevent. The vulnerability's classification under the ATT&CK framework would likely fall under T1078 for valid accounts and T1566 for social engineering techniques, as it requires user interaction to be effective but provides persistent access to administrative functions.
Organizations should immediately update to the latest version of the ZT Captcha plugin where this vulnerability has been addressed through proper nonce validation implementation. The recommended mitigation strategy includes implementing additional security measures such as restricting administrative access to trusted IP addresses, enabling two-factor authentication for administrative accounts, and monitoring for unusual plugin configuration changes. Security teams should also conduct thorough audits of all installed WordPress plugins to identify similar nonce validation issues that could present similar risks. The vulnerability serves as a reminder of the critical importance of proper input validation and nonce implementation in web applications, particularly in administrative interfaces where unauthorized modifications could have severe consequences for system security and data integrity.