CVE-2026-1369 in Conditional CAPTCHA Plugin
Summary
by MITRE • 02/22/2026
The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/22/2026
The CVE-2026-1369 vulnerability affects the Conditional CAPTCHA WordPress plugin version 4.0.0 and earlier, presenting a critical open redirect flaw that can be exploited by malicious actors to deceive users and potentially execute phishing attacks. This vulnerability stems from insufficient input validation within the plugin's redirect functionality, where user-supplied parameters are directly used without proper sanitization or verification. The issue specifically occurs when the plugin processes redirect URLs, allowing attackers to manipulate the redirection target by injecting malicious URLs into the parameter.
The technical flaw manifests in the plugin's failure to implement proper parameter validation before executing redirects, which aligns with CWE-601 Open Redirect vulnerability classification. This weakness enables attackers to craft malicious URLs that appear legitimate but redirect users to phishing sites or malicious domains. The vulnerability exists because the plugin accepts user input without verifying that the redirect destination is within the expected domain or application boundaries. When a user encounters a page that triggers the plugin's redirect functionality, they may unknowingly be directed to an attacker-controlled website.
The operational impact of this vulnerability extends beyond simple redirection attacks, as it can be leveraged for sophisticated social engineering campaigns. Attackers can exploit this flaw to create convincing phishing pages that mimic legitimate WordPress admin interfaces or other trusted destinations. The vulnerability affects all users who interact with pages utilizing the Conditional CAPTCHA plugin, particularly those who encounter links or forms that trigger the redirect functionality. This creates a significant risk for WordPress administrators and end-users who may be tricked into revealing sensitive information or credentials.
Security professionals should implement immediate mitigations including updating to the latest version of the Conditional CAPTCHA plugin where the vulnerability has been patched. Organizations should also consider implementing additional network-level protections such as URL filtering and monitoring for suspicious redirect patterns. The vulnerability demonstrates the importance of input validation and proper secure coding practices, as outlined in the OWASP Top Ten and MITRE ATT&CK framework's application layer attack techniques. Regular security audits of WordPress plugins should include verification of redirect handling and parameter validation mechanisms to prevent similar issues from emerging in other components of the web application stack.