{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1262", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-12T20:41:36.966Z", "datePublished": "2025-02-25T12:41:27.476Z", "dateUpdated": "2026-04-08T17:26:05.522Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:05.522Z"}, "affected": [{"vendor": "webfactory", "product": "Advanced Google reCAPTCHA", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.27", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Advanced Google reCaptcha plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.27 . This makes it possible for unauthenticated attackers to bypass the Built-in Math Captcha Verification."}], "title": "Advanced Google reCaptcha <= 1.27 - Built-in Math CAPTCHA Bypass", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d553aab2-d441-46d6-9c01-5dcfdc48674f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3244677/advanced-google-recaptcha"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-804 Guessable CAPTCHA", "cweId": "CWE-804", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Max Boll"}], "timeline": [{"time": "2025-02-12T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-02-24T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-25T14:32:25.900534Z", "id": "CVE-2025-1262", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:37:05.499Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1262", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-25T14:32:25.900534Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:32:27.755Z"}}], "cna": {"title": "Advanced Google reCaptcha <= 1.27 - Built-in Math CAPTCHA Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Max Boll"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "webfactory", "product": "Advanced Google reCAPTCHA", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.27"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-12T00:00:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-02-24T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d553aab2-d441-46d6-9c01-5dcfdc48674f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3244677/advanced-google-recaptcha"}], "descriptions": [{"lang": "en", "value": "The Advanced Google reCaptcha plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.27 . This makes it possible for unauthenticated attackers to bypass the Built-in Math Captcha Verification."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-804", "description": "CWE-804 Guessable CAPTCHA"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-02-25T12:41:27.476Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1262", "state": "PUBLISHED", "dateUpdated": "2025-02-25T14:37:05.499Z", "dateReserved": "2025-02-12T20:41:36.966Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-02-25T12:41:27.476Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webfactoryltd:advanced_google_recaptcha:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "78DF4004-6764-44A3-90DF-A63654CC93C0", "versionEndExcluding": "1.2.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Advanced Google reCaptcha plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.27 . This makes it possible for unauthenticated attackers to bypass the Built-in Math Captcha Verification."}, {"lang": "es", "value": "El complemento Advanced Google reCaptcha para WordPress es vulnerable a CAPTCHA Bypass en versiones hasta la 1.27 incluida. Esto permite que atacantes no autenticados eludan la verificaci\u00f3n de captcha matem\u00e1tica integrada."}], "id": "CVE-2025-1262", "lastModified": "2025-02-28T01:30:32.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-02-25T13:15:10.077", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3244677/advanced-google-recaptcha"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d553aab2-d441-46d6-9c01-5dcfdc48674f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-804"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:48:02.837444+00:00", "value": {"mitigation_remediation": ["Upgrade the Advanced Google reCaptcha plugin to version\u00a01.28 or later", "If an upgrade is not possible, disable the Math Captcha feature or remove the plugin entirely", "Implement web\u2011application firewall rules to detect and block known bypass patterns and monitor for abnormal form submission activity"], "summary": {"action": "Update Plugin", "impact": "CAPTCHA Bypass allowing automated form submission and potential spam or brute\u2011force attacks"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the webfactory:Advanced Google reCAPTCHA WordPress plugin in all releases up to and including version 1.27. Users operating any of those releases are impacted.", "description_and_impact": "The Advanced Google reCaptcha plugin for WordPress is vulnerable to a CAPTCHA bypass in its Built\u2011in Math Captcha verification. With this flaw, unauthenticated attackers can submit forms or perform automated actions without completing the mathematical challenge, potentially facilitating spam, credential stuffing, or brute\u2011force attempts. The weakness is a Classic Input Validation problem, classified as CWE\u2011804.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The flaw is not listed in CISA\u2019s KEV catalog. Exploitation requires only unauthenticated access to a site that uses the Math Captcha, making it a remote attack vector over HTTP/HTTPS. While immediate life\u2011threatening risk is low, attackers could use it to automate malicious submissions."}}}}, "created": "2026-04-21T00:00:13.357844+00:00", "updated": "2026-04-21T00:00:13.357871+00:00", "vendors": []}