{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1369", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-01-23T13:59:57.486Z", "datePublished": "2026-02-22T06:00:02.222Z", "dateUpdated": "2026-04-02T12:39:57.264Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:57.264Z"}, "title": "Conditional CAPTCHA <= 4.0.0 - Open Redirect", "problemTypes": [{"descriptions": [{"description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Conditional CAPTCHA", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "4.0.0"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue"}], "references": [{"url": "https://wpscan.com/vulnerability/5a275725-85f2-4463-880b-9473dbdfa8e0/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Bob Matyas", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-601", "lang": "en", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T18:19:53.655791Z", "id": "CVE-2026-1369", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:19:58.115Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1369", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T18:19:53.655791Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:19:15.732Z"}}], "cna": {"title": "Conditional CAPTCHA <= 4.0.0 - Open Redirect", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bob Matyas"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Conditional CAPTCHA", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.0.0"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/5a275725-85f2-4463-880b-9473dbdfa8e0/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:57.264Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1369", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:57.264Z", "dateReserved": "2026-01-23T13:59:57.486Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-02-22T06:00:02.222Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue"}, {"lang": "es", "value": "El plugin de WordPress Conditional CAPTCHA hasta la versi\u00f3n 4.0.0 no valida un par\u00e1metro antes de redirigir al usuario a su valor, lo que lleva a un problema de redirecci\u00f3n abierta."}], "id": "CVE-2026-1369", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-22T06:16:02.537", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/5a275725-85f2-4463-880b-9473dbdfa8e0/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.0.0]"}}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}]}, "original": {"product": "Conditional CAPTCHA", "source": "cna", "vendor": "Unknown"}, "product": "conditional_captcha", "vendor": "conditional_captcha"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:09:33.106991+00:00", "value": {"mitigation_remediation": ["Upgrade the Conditional CAPTCHA plugin to the latest version that implements a redirect validation check", "If a newer release is not immediately available, disable or uninstall the plugin to eliminate the risk until a patch is released", "Add server\u2011side validation or a whitelist for redirect URLs, ensuring only trusted destinations are allowed, or use an additional security module that blocks untrusted redirects"], "summary": {"action": "Update Plugin", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Conditional CAPTCHA plugin and load it in any context exposed to the vulnerable redirect parameter are affected. If a site uses version 4.0.0 or older, regardless of theme or other plugins, the redirect vulnerability is present.", "description_and_impact": "The Conditional CAPTCHA WordPress plugin version 4.0.0 and earlier fails to validate a URL passed as a parameter before executing a redirect. An attacker can craft a link that steers a visitor\u2019s browser to an arbitrary site, enabling phishing, credential theft, or delivery of malicious content by exploiting the victim\u2019s trust in the legitimate page. This flaw does not expose or modify sensitive data, and it does not alter system state or availability; the primary consequence is the loss of user confidence and potential credential compromise through deceptive redirects.", "risk_and_exploitability": "The reported CVSS score suggests moderate risk, while the associated probability of exploitation is low. The vulnerability is not included in the known exploited vulnerabilities catalog. Attackers can exploit the flaw by enticing users to follow a manipulated link; no authentication or privileged access is required. The attack vector is user\u2011initiated via a crafted URL, yielding a moderate overall threat that can be mitigated by prompt remediation."}}}}, "created": "2026-02-23T14:29:28.533708+00:00", "updated": "2026-04-16T06:15:26.914473+00:00", "vendors": ["conditional_captcha", "conditional_captcha$PRODUCT$conditional_captcha", "wordpress", "wordpress$PRODUCT$wordpress"]}