CVE-2024-12034: 
WordPress vulnerability analysis and mitigation

The Advanced Google reCAPTCHA plugin for WordPress contains a vulnerability (CVE-2024-12034) affecting all versions up to and including 1.25. The vulnerability was discovered and publicly disclosed on December 23, 2024. This security issue impacts the plugin's IP blocking functionality, specifically related to the brute force protection mechanism (NVD, WPScan).

The vulnerability stems from the plugin's failure to implement a strong unique key when generating unblock requests. The issue has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The weakness has been categorized as CWE-340 (Generation of Predictable Numbers or Identifiers) (NVD).

The vulnerability allows unauthenticated attackers to unblock their IP addresses after being locked out due to excessive failed password attempts. This effectively bypasses the plugin's brute force protection mechanism, potentially compromising the security of the WordPress installation (WPScan).

The vulnerability has been fixed in version 1.26 of the Advanced Google reCAPTCHA plugin. Users are advised to update to this version or later to protect their WordPress installations (WPScan).