cleantalk
Vulnerabilities and Security Researches

Kcaptcha, CVE-2026-4121

CVE, Research URL

CVE-2026-4121

Home page URL

Security reports for Kcaptcha

Application

Kcaptcha

Published on
Apr 22, 2026
Research Description
The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler (admin/setting.php). The settings form does not include a wp_nonce_field() and the form processing code does not call wp_verify_nonce() or check_admin_referer() before saving settings to the database via $wpdb->update(). This makes it possible for unauthenticated attackers to modify the plugin's CAPTCHA settings (enabling or disabling CAPTCHA on login, registration, lost password, and comment forms) via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Affected versions
max 1.0.1.
Status
vulnerable
Previous vulnerability researches
Twittee Text Tweet (CVE-2026-4089) , Apr 23, 2026
Twittee Text Tweet (CVE-2023-0602) , Jun 07, 2024
New vulnerability
Sendmachine for WordPress (CVE-2026-6235) , Apr 24, 2026
Emailchef (CVE-2026-1930) , Apr 24, 2026
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier (CVE-2025-6833) , Apr 24, 2026
WP Responsive Popup + Optin (CVE-2026-4131) , Apr 24, 2026
Portfolio Gallery, Product Catalog – Grid KIT Portfolio (CVE-2025-5092) , Apr 24, 2026