Common Weakness Enumeration

CWE-804

Allowed

Guessable CAPTCHA

Abstraction: Base · Status: Incomplete

The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

24 vulnerabilities reference this CWE, most recent first.

CVE-2023-6963 (GCVE-0-2023-6963)

Vulnerability from cvelistv5 – Published: 2024-02-05 21:22 – Updated: 2026-04-08 17:25
VLAI
Title
Getwid – Gutenberg Blocks <= 2.0.4 - Captcha Bypass
Summary
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to bypass the Captcha Verification of the Contact Form block by omitting 'g-recaptcha-response' from the 'data' array.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
jetmonsters Getwid – Gutenberg Blocks Affected: 0 , ≤ 2.0.4 (semver)
Create a notification for this product.
Credits
Lucio Sá
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-6963",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-06T16:38:49.003534Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:21:34.751Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:50:06.720Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d317f2c7-06f3-4875-9f9b-eb7f450aa2f4?source=cve"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://plugins.trac.wordpress.org/changeset/3022982"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Getwid \u2013 Gutenberg Blocks",
          "vendor": "jetmonsters",
          "versions": [
            {
              "lessThanOrEqual": "2.0.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lucio S\u00e1"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Getwid \u2013 Gutenberg Blocks plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to bypass the Captcha Verification of the Contact Form block by omitting \u0027g-recaptcha-response\u0027 from the \u0027data\u0027 array."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-804",
              "description": "CWE-804 Guessable CAPTCHA",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:25:28.890Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d317f2c7-06f3-4875-9f9b-eb7f450aa2f4?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3022982"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-12-19T00:00:00.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2024-01-17T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Getwid \u2013 Gutenberg Blocks \u003c= 2.0.4 - Captcha Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2023-6963",
    "datePublished": "2024-02-05T21:22:02.318Z",
    "dateReserved": "2023-12-19T20:14:55.515Z",
    "dateUpdated": "2026-04-08T17:25:28.890Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-4036 (GCVE-0-2022-4036)

Vulnerability from cvelistv5 – Published: 2022-11-29 20:34 – Updated: 2026-04-08 17:33
VLAI
Title
Appointment Hour Booking <= 1.3.72 - CAPTCHA Bypass
Summary
The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Credits
Luca Greeb Andreas Krüger
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:27:54.119Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2803896%40appointment-hour-booking\u0026new=2803896%40appointment-hour-booking\u0026sfp_email=\u0026sfph_mail="
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4036"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-4036",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-23T21:18:48.319483Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-23T21:18:54.672Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Appointment Hour Booking \u2013 Booking Calendar",
          "vendor": "codepeople",
          "versions": [
            {
              "lessThanOrEqual": "1.3.72",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Luca Greeb"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Andreas Kr\u00fcger"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-804",
              "description": "CWE-804 Guessable CAPTCHA",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:33:29.365Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f62d28bd-fa33-4f0b-a116-5aacc05bfa3a?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2803896%40appointment-hour-booking\u0026new=2803896%40appointment-hour-booking\u0026sfp_email=\u0026sfph_mail="
        },
        {
          "url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4036"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2022-11-29T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Appointment Hour Booking \u003c= 1.3.72 - CAPTCHA Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2022-4036",
    "datePublished": "2022-11-29T20:34:59.668Z",
    "dateReserved": "2022-11-16T18:38:10.160Z",
    "dateUpdated": "2026-04-08T17:33:29.365Z",
    "requesterUserId": "8d345d3f-a59e-4410-a440-fac6e918fcfc",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-1801 (GCVE-0-2022-1801)

Vulnerability from cvelistv5 – Published: 2022-06-20 10:25 – Updated: 2024-08-03 00:16
VLAI
Title
Very Simple Contact Form < 11.6 - Captcha bypass
Summary
The Very Simple Contact Form WordPress plugin before 11.6 exposes the solution to the captcha in the rendered contact form, both as hidden input fields and as plain text in the page, making it very easy for bots to bypass the captcha check, rendering the page a likely target for spam bots.
Severity
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
Unknown Very Simple Contact Form Affected: 11.6 , < 11.6 (custom)
Create a notification for this product.
Credits
Sebastian Cruz Cardona
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:16:59.881Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/a5c97809-2ffc-4efb-8c80-1b734361cd06"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Very Simple Contact Form",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "11.6",
              "status": "affected",
              "version": "11.6",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sebastian Cruz Cardona"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Very Simple Contact Form WordPress plugin before 11.6 exposes the solution to the captcha in the rendered contact form, both as hidden input fields and as plain text in the page, making it very easy for bots to bypass the captcha check, rendering the page a likely target for spam bots."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-804",
              "description": "CWE-804 Guessable CAPTCHA",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-20T10:25:58.000Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/a5c97809-2ffc-4efb-8c80-1b734361cd06"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Very Simple Contact Form \u003c 11.6 - Captcha bypass",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2022-1801",
          "STATE": "PUBLIC",
          "TITLE": "Very Simple Contact Form \u003c 11.6 - Captcha bypass"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Very Simple Contact Form",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "11.6",
                            "version_value": "11.6"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Sebastian Cruz Cardona"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Very Simple Contact Form WordPress plugin before 11.6 exposes the solution to the captcha in the rendered contact form, both as hidden input fields and as plain text in the page, making it very easy for bots to bypass the captcha check, rendering the page a likely target for spam bots."
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-804 Guessable CAPTCHA"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/a5c97809-2ffc-4efb-8c80-1b734361cd06",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/a5c97809-2ffc-4efb-8c80-1b734361cd06"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2022-1801",
    "datePublished": "2022-06-20T10:25:59.000Z",
    "dateReserved": "2022-05-19T00:00:00.000Z",
    "dateUpdated": "2024-08-03T00:16:59.881Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-28M7-2RMV-HWQR

Vulnerability from github – Published: 2026-03-05 06:30 – Updated: 2026-03-09 18:31
VLAI
Details

Guessable CAPTCHA vulnerability in jp-secure SiteGuard WP Plugin siteguard allows Functionality Bypass.This issue affects SiteGuard WP Plugin: from n/a through <= 1.7.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-804"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-05T06:16:29Z",
    "severity": "MODERATE"
  },
  "details": "Guessable CAPTCHA vulnerability in jp-secure SiteGuard WP Plugin siteguard allows Functionality Bypass.This issue affects SiteGuard WP Plugin: from n/a through \u003c= 1.7.9.",
  "id": "GHSA-28m7-2rmv-hwqr",
  "modified": "2026-03-09T18:31:38Z",
  "published": "2026-03-05T06:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27411"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/siteguard/vulnerability/wordpress-siteguard-wp-plugin-plugin-1-7-9-captcha-bypass-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4639-47CP-327M

Vulnerability from github – Published: 2026-03-10 21:32 – Updated: 2026-03-11 15:31
VLAI
Details

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. The details of captcha challenge are exposed within document body of articles with comments & anti spam-captcha functionalities enabled, including "capcha-letter", "capcha-word" and "capcha-token" which can be used to construct a valid post request to publish a comment. As such, attackers can flood articles with automated spam comments, especially if there are no other web defenses available.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-70129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-804"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-10T20:16:20Z",
    "severity": "MODERATE"
  },
  "details": "If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. The details of captcha challenge are exposed within document body of articles with comments \u0026 anti spam-captcha functionalities enabled, including \"capcha-letter\", \"capcha-word\" and \"capcha-token\" which can be used to construct a valid post request to publish a comment. As such, attackers can flood articles with automated spam comments, especially if there are no other web defenses available.",
  "id": "GHSA-4639-47cp-327m",
  "modified": "2026-03-11T15:31:46Z",
  "published": "2026-03-10T21:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70129"
    },
    {
      "type": "WEB",
      "url": "https://github.com/forest4x/vuln-research-public/blob/main/CVE-2025-70129.pdf"
    },
    {
      "type": "WEB",
      "url": "https://youtu.be/dD2olE4yMqY"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5CWM-9HM2-R3CF

Vulnerability from github – Published: 2022-11-29 21:30 – Updated: 2026-04-08 21:31
VLAI
Details

The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-804",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-29T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie.",
  "id": "GHSA-5cwm-9hm2-r3cf",
  "modified": "2026-04-08T21:31:45Z",
  "published": "2022-11-29T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4036"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2803896%40appointment-hour-booking\u0026new=2803896%40appointment-hour-booking\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f62d28bd-fa33-4f0b-a116-5aacc05bfa3a?source=cve"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4036"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6589-39CQ-P9HW

Vulnerability from github – Published: 2024-05-17 09:31 – Updated: 2024-05-17 09:31
VLAI
Details

Guessable CAPTCHA vulnerability in BestWebSoft Captcha by BestWebSoft allows Functionality Bypass.This issue affects Captcha by BestWebSoft: from n/a through 5.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-804"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T09:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Guessable CAPTCHA vulnerability in BestWebSoft Captcha by BestWebSoft allows Functionality Bypass.This issue affects Captcha by BestWebSoft: from n/a through 5.2.0.",
  "id": "GHSA-6589-39cq-p9hw",
  "modified": "2024-05-17T09:31:02Z",
  "published": "2024-05-17T09:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31295"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/captcha-bws/wordpress-captcha-by-bestwebsoft-plugin-5-2-0-captcha-bypass-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9P5C-4HGP-XHPR

Vulnerability from github – Published: 2025-02-25 15:34 – Updated: 2025-02-25 15:34
VLAI
Details

The Advanced Google reCaptcha plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.27 . This makes it possible for unauthenticated attackers to bypass the Built-in Math Captcha Verification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-804"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-25T13:15:10Z",
    "severity": "MODERATE"
  },
  "details": "The Advanced Google reCaptcha plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.27 . This makes it possible for unauthenticated attackers to bypass the Built-in Math Captcha Verification.",
  "id": "GHSA-9p5c-4hgp-xhpr",
  "modified": "2025-02-25T15:34:36Z",
  "published": "2025-02-25T15:34:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1262"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3244677/advanced-google-recaptcha"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d553aab2-d441-46d6-9c01-5dcfdc48674f?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C8XC-GC49-4VF2

Vulnerability from github – Published: 2022-06-21 00:00 – Updated: 2022-06-29 00:00
VLAI
Details

The Very Simple Contact Form WordPress plugin before 11.6 exposes the solution to the captcha in the rendered contact form, both as hidden input fields and as plain text in the page, making it very easy for bots to bypass the captcha check, rendering the page a likely target for spam bots.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-804",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-20T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Very Simple Contact Form WordPress plugin before 11.6 exposes the solution to the captcha in the rendered contact form, both as hidden input fields and as plain text in the page, making it very easy for bots to bypass the captcha check, rendering the page a likely target for spam bots.",
  "id": "GHSA-c8xc-gc49-4vf2",
  "modified": "2022-06-29T00:00:27Z",
  "published": "2022-06-21T00:00:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1801"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/a5c97809-2ffc-4efb-8c80-1b734361cd06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G44V-6QFM-F6CH

Vulnerability from github – Published: 2023-03-21 06:30 – Updated: 2023-03-27 22:10
VLAI
Summary
Answer has Guessable CAPTCHA
Details

Guessable CAPTCHA in GitHub repository answerdev/answer prior to 1.0.6.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/answerdev/answer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307",
      "CWE-804"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-21T22:32:31Z",
    "nvd_published_at": "2023-03-21T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Guessable CAPTCHA in GitHub repository answerdev/answer prior to 1.0.6.",
  "id": "GHSA-g44v-6qfm-f6ch",
  "modified": "2023-03-27T22:10:58Z",
  "published": "2023-03-21T06:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1539"
    },
    {
      "type": "WEB",
      "url": "https://github.com/answerdev/answer/commit/813ad0b9894673b1bdd489a2e9ab60a44fe990af"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/answerdev/answer"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/b4df67f4-14ea-4051-97d4-26690c979a28"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Answer has Guessable CAPTCHA"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.