Multiple Cross-Site Scripting Vulnerabilities WordPress FunCaptcha Plugin

Game Related Captcha Plugin Needs Updating

A popular captcha plugin, FunCaptcha, that using games instead of words or math has been found to have some cross-site scripting vulnerabilities.

Please check your versions if you are using this plugin and make appropriate updates.

Recent Updates To Version .0.4.4 Have Implemented a Fix

FunCaptcha

Compatible up to: 3.7.1
Last Updated: 2013-11-24

 

Users complete these little games faster than other CAPTCHAs, with fewer frustrating failures and no typing. They work on all browsers and mobile devices, using HTML5 with a fallback to Flash. Visually impaired users can complete an audio challenge CAPTCHA provided by reCAPTCHA.

 

Two vulnerabilities have been discovered in the FunCaptcha plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the URL to

 

 

wp-content/plugins/funcaptcha/wp_funcaptcha_admin_activate.php

 

is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

The vulnerabilities are confirmed in version 0.4.3. Prior versions may also be affected.

 

Changelog

0.4.4

  • Security improvements.
  • Made localhost not cause issues for registration purposes.

Please make sure to keep your website and plugins up-to-date. This is a good example of how easily a hack can be exploited to cause problems for your websites and business. If you have more then one website make sure you check them all.