CVE-2026-1369
📋 TL;DR
The Conditional CAPTCHA WordPress plugin through version 4.0.0 contains an open redirect vulnerability that allows attackers to redirect users to malicious websites. This affects WordPress sites using vulnerable versions of the plugin, potentially compromising user trust and enabling phishing attacks.
💻 Affected Systems
- Conditional CAPTCHA WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Users could be redirected to phishing sites that steal credentials or install malware, leading to account compromise and data breaches.
Likely Case
Attackers use the redirect for phishing campaigns, tricking users into visiting malicious sites that appear legitimate.
If Mitigated
With proper user education and browser security features, users might recognize suspicious redirects, reducing successful attacks.
🎯 Exploit Status
Open redirect vulnerabilities are commonly exploited in phishing campaigns and require minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.1 or later
Vendor Advisory: https://wpscan.com/vulnerability/5a275725-85f2-4463-880b-9473dbdfa8e0/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Conditional CAPTCHA plugin. 4. Click 'Update Now' if available. 5. If no update appears, manually download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the Conditional CAPTCHA plugin until patched.
wp plugin deactivate conditional-captcha
🧯 If You Can't Patch
- Implement WAF rules to block redirects with external domains in the vulnerable parameter.
- Use browser security extensions that warn about open redirects.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Conditional CAPTCHA version. If version is 4.0.0 or earlier, it's vulnerable.Check Version:
wp plugin get conditional-captcha --field=versionVerify Fix Applied:
Verify plugin version is 4.0.1 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual redirects in web server logs with external domains in redirect parameters.
- Multiple 302 redirect responses to unfamiliar domains.
Network Indicators:
- HTTP 302 redirects to external domains from WordPress pages using the Conditional CAPTCHA plugin.
SIEM Query:
source="web_server_logs" AND (status=302 OR status=301) AND uri CONTAINS "conditional-captcha" AND referrer_domain != current_domain