Security vulnerability

Resolved fedeltamedia
(@fedeltamedia)

1 day, 17 hours ago

The Plugin “Advanced Google reCAPTCHA” has a security vulnerability.

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-google-recaptcha/wp-captcha-pro-538-missing-authorization-to-authenticated-subscriber-arbitrary-file-upload

Before you’re gonna reply with “That vulnerability was present ONLY in the PRO version […]”. Do realize that EVERY user with a security plugin like Wordfence will receive this message. When not fixed, people will uninstall this plugin. Either patch it, or push an empty update labeled “Security vulnerability patched” to stop the warnings/topics the coming days. Or… do nothing and lose users.

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author Alexandru Tapuleasa
(@talextech)

1 day, 4 hours ago

Hi,

Thank you for the suggestion, we will do that. But Wordfence itself seems to differentiate between free and PRO and is not showing an alert for the free version. Could you tell us what plugin you use to check vulnerabilities?

wzshop
(@wzshop)

1 day, 3 hours ago

Exactly this, we are waiting for a fix.

wzshop
(@wzshop)

1 day, 3 hours ago

Hi, it does alert for the free version. Currently using free version, version 1.35 and Wordfence does give the alert that there is a critical Security vulnerability
Thread Starter fedeltamedia
(@fedeltamedia)

1 day, 3 hours ago
We are using Advanced Google reCAPTCHA free version 1.35. In combination with Wordfence free. The hint on why the alert is sent out for the Free version lies in the first line on the Wordfence website:

“The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 5.38.”

You’ve published both the free and pro plugin under the same slug. So any security vulnerability found in the pro version, will also trigger the free version.

Again:
1. Push an empty update labeled “Security vulnerability patched”. And keep doing this each time a new security vulnerability is found
or:
2. Move either version to their own slug
- This reply was modified 1 day, 3 hours ago by fedeltamedia.
- This reply was modified 1 day, 3 hours ago by fedeltamedia.
Cognisant_2000
(@cognisant_2000)

1 day, 3 hours ago

We also got this warning from one customer site. The version is Version 1.35, so either this has been fixed on both Pro and Free, or this is something new.

Here is the full page from WordFence warning https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/advanced-google-recaptcha/wp-captcha-pro-538-missing-authorization-to-authenticated-subscriber-arbitrary-file-upload

The page status shows 5 of June, so this may be something new, as the previous issue was detected on 27 March 2025.

Please can you clarify as we need to either find a fix for this, or replace it with an alternative.

Regards

evildoer
(@evildoer)

1 day ago

Same here. Version 1.3.5 and waiting for update confirmation on the security threat showing on multiple websites.

Is the free version fixed or not ?

Viewing 6 replies - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

Tags