Description

WordPress Plugin Captcha contains a backdoor. Attackers can exploit this issue to execute arbitrary commands in the context of the application. Successful attacks will compromise the affected application and possibly the webserver or computer. WordPress Plugin Captcha versions starting from 4.3.6 and up to, and including 4.4.4 are vulnerable.

Remediation

Update to plugin version 4.4.5 or latest

References

https://www.wordfence.com/blog/2017/12/backdoor-captcha-plugin/

https://wordpress.org/support/topic/backdoor-2/

https://plugins.svn.wordpress.org/captcha/trunk/readme.txt

Related Vulnerabilities

Joomla! Core 1.5.x Security Bypass (1.5.0 - 1.5.24)

WordPress Plugin fGallery SQL Injection (2.4.1)

Piwigo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2022-32297)

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-5739)

Hesk Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-13897)

Severity

High

Classification

CWE-95 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update