CVE-2018-15876

MEDIUM

ajax-bootmodal-login 1.4.3 - CAPTCHA Bypass via Session Reuse

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-15876. PoCs published by qq431169079.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2018-15876, a CAPTCHA reuse vulnerability in the 'ajax-bootmodal-login' WordPress plugin. It describes how an attacker can exploit the vulnerability to register victims, spam users, and brute-force credentials by reusing CAPTCHA tokens within a valid session.

Description

An issue was discovered in the ajax-bootmodal-login plugin 1.4.3 for WordPress. The register form, login form, and password-recovery form require solving a CAPTCHA to perform actions. However, this is required only once per user session, and therefore one could send as many requests as one wished by automation.

Exploits (1)

github WRITEUP
by qq431169079 · htmlpoc
https://github.com/qq431169079/CVE/tree/master/CVE-2018-15876

This repository provides a detailed technical analysis of CVE-2018-15876, a CAPTCHA reuse vulnerability in the 'ajax-bootmodal-login' WordPress plugin. It describes how an attacker can exploit the vulnerability to register victims, spam users, and brute-force credentials by reusing CAPTCHA tokens within a valid session.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: ajax-bootmodal-login WordPress plugin version 1.4.3 and prior
No auth needed
Prerequisites: Valid user session · Burp Intruder or similar tool for request replay
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 5.3
EPSS 0.0095
EPSS Percentile 56.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE
CWE-20
Status published
Products (1)
ajax_bootmodal_login_project/ajax_bootmodal_login 1.4.3
Published Aug 26, 2018
Tracked Since Feb 18, 2026