CVEbaza.plCWE DictionaryCWE-804
Common Weakness Enumeration

CWE-804

Guessable CAPTCHA

Category: BaseCVE: 15
Description

The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

CVE vulnerabilities with CWE-804 (15)
9.1
CVSS
CRITICAL
CVE-2025-40916

Mojolicious::Plugin::CaptchaPNG version 1.05 for Perl uses a weak random number source for generating the captcha. That version uses the built-in rand() function for generating the captcha text as well as image noise, which is insecure.

pub. 2025-06-16
8.6
CVSS
HIGH
CVE-2025-50850

An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks.

pub. 2025-07-31
7.5
CVSS
HIGH
CVE-2022-1801

The Very Simple Contact Form WordPress plugin before 11.6 exposes the solution to the captcha in the rendered contact form, both as hidden input fields and as plain text in the page, making it very easy for bots to bypass the captcha check, rendering the page a likely target for spam bots.

pub. 2022-06-20
6.9
CVSS
MEDIUM
CVE-2026-49953

Discuz! X5.0 releases 20260320 through 20260610 contains a CAPTCHA bypass vulnerability that allows unauthenticated remote attackers to defeat challenge controls by exploiting limited complexity and predictable character sets in generated CAPTCHA images. Attackers can train a custom optical character recognition model against collected CAPTCHA samples to reliably predict challenge text, bypassing protections on login, registration, and other functionality from automated abuse.

pub. 2026-06-15
5.5
CVSS
MEDIUM
CVE-2025-8546

A vulnerability, which was classified as problematic, was found in atjiu pybbs up to 6.0.0. This affects the function adminlogin/login of the component Verification Code Handler. The manipulation leads to guessable captcha. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named ecaf8d46944fd03e3c4ea05698f8acf0aaa570cf. It is recommended to apply a patch to fix this issue.

pub. 2025-08-05
5.4
CVSS
MEDIUM
CVE-2026-27411

Guessable CAPTCHA vulnerability in jp-secure SiteGuard WP Plugin siteguard allows Functionality Bypass.This issue affects SiteGuard WP Plugin: from n/a through <= 1.7.9.

pub. 2026-03-05
5.3
CVSS
MEDIUM
CVE-2026-40935

WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, letting any unauthenticated client force the server to generate a 1-character CAPTCHA word. Combined with a case-insensitive `strcasecmp` comparison over a ~33-character alphabet and the fact that failed validations do NOT consume the stored session token, an attacker can trivially brute-force the CAPTCHA on any endpoint that relies on `Captcha::validation()` (user registration, password recovery, contact form, etc.) in at most ~33 requests per session. Commit bf1c76989e6a9054be4f0eb009d68f0f2464b453 contains a fix.

pub. 2026-04-21
5.3
CVSS
MEDIUM
CVE-2025-70129

If the anti spam-captcha functionality in PluXml versions 5.8.22 and earlier is enabled, a captcha challenge is generated with a format that can be automatically recognized for articles, such that an automated script is able to solve this anti-spam mechanism trivially and publish spam comments. The details of captcha challenge are exposed within document body of articles with comments & anti spam-captcha functionalities enabled, including "capcha-letter", "capcha-word" and "capcha-token" which can be used to construct a valid post request to publish a comment. As such, attackers can flood articles with automated spam comments, especially if there are no other web defenses available.

pub. 2026-03-10
5.3
CVSS
MEDIUM
CVE-2025-1262

The Advanced Google reCaptcha plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.27 . This makes it possible for unauthenticated attackers to bypass the Built-in Math Captcha Verification.

pub. 2025-02-25
5.3
CVSS
MEDIUM
CVE-2024-30540

Guessable CAPTCHA vulnerability in Guido VS Contact Form allows Functionality Bypass.This issue affects VS Contact Form: from n/a through 14.7.

pub. 2024-05-17
5.3
CVSS
MEDIUM
CVE-2024-31295

Guessable CAPTCHA vulnerability in BestWebSoft Captcha by BestWebSoft allows Functionality Bypass.This issue affects Captcha by BestWebSoft: from n/a through 5.2.0.

pub. 2024-05-17
5.3
CVSS
MEDIUM
CVE-2023-6963

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to bypass the Captcha Verification of the Contact Form block by omitting 'g-recaptcha-response' from the 'data' array.

pub. 2024-02-05
5.3
CVSS
MEDIUM
CVE-2022-4036

The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie.

pub. 2022-11-29
4.2
CVSS
MEDIUM
CVE-2025-32036

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. The algorithm used to generate the captcha image shows the least complexity of the desired image. For this reason, the created image can be easily read by OCR tools, and the intruder can send automatic requests by building a robot and using this tool. This vulnerability is fixed in 9.13.8.

pub. 2025-04-08
2.9
CVSS
LOW
CVE-2025-10423

A vulnerability was found in newbee-mall 1.0. Impacted is the function mallKaptcha of the file /common/mall/kaptcha. The manipulation results in guessable captcha. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The exploit has been made public and could be used.

pub. 2025-09-15
Information
ID: CWE-804
Type: Base
Vulnerabilities: 15
MITRE CWE ↗
← CWE Dictionary
CWE-804 — Guessable CAPTCHA | CWE Dictionary | CVEbaza.pl