CVE-2025-24628: 
WordPress vulnerability analysis and mitigation

A CAPTCHA bypass vulnerability was discovered in BestWebSoft Google Captcha (reCaptcha) WordPress plugin affecting versions up to 1.78. The vulnerability was discovered on December 4, 2024, and publicly disclosed on January 3, 2025. This security issue allows unauthenticated attackers to bypass the CAPTCHA protection functionality offered by the plugin (Patchstack).

The vulnerability is classified as an Authentication Bypass by Spoofing (CWE-290) with a CVSS v3.1 Base Score of 5.3 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) and no user interaction (UI:N). The scope is unchanged (S:U) with low impact on integrity (I:L) and no impact on confidentiality (C:N) or availability (A:N) (NVD).

The vulnerability allows unauthenticated attackers to bypass the CAPTCHA protection mechanism implemented by the plugin. This bypass could potentially lead to automated attacks that the CAPTCHA was designed to prevent (WPScan).

The vulnerability has been fixed in version 1.79 of the BestWebSoft Google Captcha plugin. Users are advised to update to this version or later to remediate the security issue (Patchstack).