Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-804 (可猜测的验证码) — Vulnerability Class 11

11 vulnerabilities classified as CWE-804 (可猜测的验证码). AI Chinese analysis included.

CWE-804 represents a security weakness where a CAPTCHA challenge is insufficiently complex, allowing automated systems to guess or recognize the solution. Attackers typically exploit this vulnerability by deploying automated scripts or machine learning models to bypass the intended human verification, enabling high-frequency actions that exceed human capabilities. This often facilitates spam attacks, credential stuffing, or brute-force login attempts at scale. Developers avoid this weakness by implementing robust CAPTCHA solutions that utilize advanced image recognition challenges, behavioral analysis, or risk-based assessments that are difficult for non-human actors to solve. Ensuring the challenge requires genuine human interaction, such as identifying subtle visual patterns or responding to dynamic prompts, effectively mitigates the risk of automated bypass and maintains the integrity of the authentication or submission process.

MITRE CWE Description
The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor. An automated attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than humanly possible, such as launching spam attacks. There can be several different causes of a guessable CAPTCHA: An audio or visual image that does not have sufficient distortion from the unobfuscated source image. A question is generated with a format that can be automatically recognized, such as a math question. A question for which the number of possible answers is limited, such as birth years or favorite sports teams. A general-knowledge or trivia question for which the answer can be accessed using a data base, such as country capitals or popular entertainers. Other data associated with the CAPTCHA may provide hints about its contents, such as an image whose filename contains the word that is used in the CAPTCHA.
Common Consequences (1)
Access Control, OtherBypass Protection Mechanism, Other
When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA.
CVE IDTitleCVSSSeverityPublished
CVE-2026-40935 WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token Invalidation on Failure — AVideo 5.3 Medium2026-04-21
CVE-2026-27411 WordPress SiteGuard WP plugin plugin <= 1.7.9 - Captcha Bypass vulnerability — SiteGuard WP Plugin 5.4 Medium2026-03-05
CVE-2025-10423 newbee-mall kaptcha mallKaptcha Captcha — newbee-mall 3.7 Low2025-09-15
CVE-2025-8546 atjiu pybbs Verification Code login Captcha — pybbs 5.3 Medium2025-08-05
CVE-2025-32036 DNN allows the possibility of bypassing Captcha — Dnn.Platform 4.2 Medium2025-04-08
CVE-2025-1262 Advanced Google reCaptcha <= 1.27 - Built-in Math CAPTCHA Bypass — Advanced Google reCAPTCHA 5.3 Medium2025-02-25
CVE-2024-30540 WordPress VS Contact Form plugin <= 14.7 - Sum Captcha Bypass vulnerability — VS Contact Form 5.3 Medium2024-05-17
CVE-2024-31295 WordPress Captcha by BestWebSoft plugin <= 5.2.0 - Captcha Bypass vulnerability — Captcha by BestWebSoft 5.3 Medium2024-05-17
CVE-2023-6963 Getwid – Gutenberg Blocks <= 2.0.4 - Captcha Bypass — Getwid – Gutenberg Blocks 5.3 Medium2024-02-05
CVE-2022-4036 Appointment Hour Booking <= 1.3.72 - CAPTCHA Bypass — Appointment Hour Booking – Booking Calendar 5.3 Medium2022-11-29
CVE-2022-1801 Very Simple Contact Form < 11.6 - Captcha bypass — Very Simple Contact Form 7.5 -2022-06-20

Vulnerabilities classified as CWE-804 (可猜测的验证码) represent 11 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.