CVE-2026-1369 Overview
CVE-2026-1369 is an open redirect vulnerability in the Conditional CAPTCHA WordPress plugin through version 4.0.0. The plugin fails to validate a user-supplied parameter before redirecting the browser to its value. Attackers can craft URLs that appear to originate from a trusted WordPress site but send victims to attacker-controlled destinations. This weakness is tracked under CWE-601: URL Redirection to Untrusted Site. The flaw requires user interaction, typically clicking a malicious link, and is most commonly abused for phishing and credential harvesting campaigns that leverage the trust of the originating domain.
Critical Impact
Attackers can abuse the trusted WordPress domain to redirect victims to phishing or malware-hosting sites, bypassing user judgment based on the visible source URL.
Affected Products
- Conditional CAPTCHA WordPress plugin
- All versions through and including 4.0.0
- WordPress sites with the vulnerable plugin enabled
Discovery Timeline
- 2026-02-22 - CVE-2026-1369 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-1369
Vulnerability Analysis
The Conditional CAPTCHA plugin processes a redirect parameter supplied through an HTTP request and passes the value directly to a redirect function. The plugin does not enforce an allowlist of trusted hosts or validate that the destination resides within the originating WordPress site. As a result, any fully qualified URL submitted in the parameter becomes the redirect target.
Open redirect flaws like this one [CWE-601] are routinely chained with phishing and OAuth abuse. The attacker sends a victim a link beginning with the legitimate WordPress domain, which security-aware users may inspect and trust. The server then issues an HTTP redirect to a malicious destination, where credential capture, malware delivery, or token theft occurs.
The attack requires network access and user interaction. No authentication is needed, and the impact is limited to integrity of the redirect flow, not the WordPress server itself.
Root Cause
The root cause is missing input validation on a redirect parameter before it is consumed by the plugin's redirect logic. The plugin trusts the client-supplied value and does not compare the destination host against the site origin or a configured allowlist.
Attack Vector
An attacker constructs a URL referencing the vulnerable plugin endpoint on a target WordPress site and appends a redirect parameter pointing to an attacker-controlled domain. The attacker distributes the link through email, messaging platforms, or malicious advertisements. When the victim clicks the link, the WordPress server returns an HTTP 3xx response that sends the browser to the attacker's site. The victim's browser shows the attacker domain only after the redirect completes, which often goes unnoticed during fast credential entry on a cloned login page. Refer to the WPScan Vulnerability Advisory for technical specifics.
Detection Methods for CVE-2026-1369
Indicators of Compromise
- Web server access logs containing requests to Conditional CAPTCHA plugin endpoints with external URLs in query parameters
- HTTP 3xx responses from the WordPress site with Location headers pointing to domains outside the site origin
- Spikes in outbound referrer traffic from the WordPress site to recently registered or low-reputation domains
- User reports of unexpected redirects after clicking links that appear to originate from the WordPress site
Detection Strategies
- Inspect web server and WAF logs for requests to plugin paths containing http:// or https:// substrings within parameter values
- Correlate redirect responses with the destination domain and flag any that do not match the canonical site host
- Search threat intelligence feeds for phishing campaigns referencing the WordPress domain as an entry point
Monitoring Recommendations
- Enable detailed HTTP request logging on the WordPress site, including full query strings and response status codes
- Forward web logs to a centralized analytics platform and alert on 3xx responses with external Location headers
- Monitor brand and domain mentions in phishing intelligence sources for abuse of the site as a redirect lure
How to Mitigate CVE-2026-1369
Immediate Actions Required
- Identify all WordPress sites running the Conditional CAPTCHA plugin and verify the installed version
- Disable the Conditional CAPTCHA plugin on any site running version 4.0.0 or earlier until a fixed release is confirmed
- Review web server logs for prior exploitation attempts and notify affected users if phishing redirects are identified
- Educate site administrators and end users about phishing risks tied to trusted-domain redirects
Patch Information
No fixed version is referenced in the available advisory data. Site operators should consult the WPScan Vulnerability Advisory and the plugin's WordPress.org page for updates. If no patched release is available, remove the plugin or replace it with an actively maintained CAPTCHA solution.
Workarounds
- Deploy a web application firewall rule that blocks requests to plugin endpoints when redirect parameters contain external hostnames
- Configure the WordPress site to enforce server-side allowlists for any redirect destinations via custom code or a security plugin
- Restrict outbound HTTP redirects at the reverse proxy layer to the site's own domain and approved partners
# Example ModSecurity rule to block external redirect targets in query strings
SecRule REQUEST_URI "@contains /wp-content/plugins/conditional-captcha/" \
"chain,phase:2,deny,status:403,id:1002601,msg:'Blocked potential open redirect CVE-2026-1369'"
SecRule ARGS "@rx ^https?://(?!example\.com)" "t:lowercase"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
