If you are running a WordPress site and are connecting to it with a regular web browser, you might be asked to complete a CAPTCHA challenge to prove that you are not a robot. The reCAPTCHA WordPress plugin before 1.7 didn't verify that the request came from the IP address that was on the allow list. This means that an attacker could spoof the IP address to trick the plugin into not having any captchas on the login screen. The issue was discovered by the folks at Sucuri who released the following advisory. RE: WP Login - 1.7.9 - No Captcha IP Spoofing - XSS - Bypass Vulnerability - 180219 -- REPOST - WP - https://t.co/9O8jK5S5pC. — Sucuri Security (@SucuriSecurity) February 19 The WP Login No Captcha plugin has been updated to fix this issue and verify that the request came from the IP address that was on the allow list.
WP Login – 2.0.3 - No Captcha Vulnerability – XSS – Bypass
The WP Login plugin before 2.0.3 was vulnerable to IP spoofing, which could have been used to bypass the Captcha on the login page.
To fix this issue, update your plugin to version 2.0.3 or higher which includes a patch for this vulnerability.
https://wordpress.org/plugins/wp-login-no-captcha/
WP Login - 1.7.9 - No Captcha IP Spoofing - XSS - Bypass Vulnerability
- 180219
If you are running a WordPress site and are connecting to it with a regular web browser, you might be asked to complete a CAPTCHA challenge to prove that you are not a robot. The reCAPTCHA WordPress plugin before 1.7 didn't verify that the request came from the IP address that was on the allow list. This means that an attacker could spoof the IP address to trick the plugin into not having any captchas on the login screen. The issue was discovered by the folks at Sucuri who released the following advisory.
What is WP Login?
The WP Login plugin is a free plugin that allows you to restrict your WordPress login screen to users who provide a valid email address and password, or provide an email address and CAPTCHA image. The plugin is popular because of its simplicity and ease of use.
The plugin has been updated to fix this issue and verify that the request came from the IP address that was on the allow list.
Installation
The reCAPTCHA WordPress plugin 1.7.9 has been released to fix this issue. To install the updated plugin, please follow these instructions:
1) Log in to your WordPress admin panel and go to Plugins > Add New
2) Search for "recaptcha"
3) Click on "Install Now"
4) Click on "Install Now" again and select the version number of the new updated version 1.7.9
RE: WP Login - 1.7.9 - No Captcha IP Spoofing - XSS
- Bypass Vulnerability - 180219 -- REPOST
If you are running a WordPress site and are connecting to it with a regular web browser, you might be asked to complete a CAPTCHA challenge to prove that you are not a robot. The reCAPTCHA plugin before 1.7 didn't verify that the request came from the IP address that was on the allow list. This means that an attacker could spoof the IP address to trick the plugin into not having any captchas on the login screen. The issue was discovered by the folks at Sucuri who released the following advisory: RE: WP Login - 1.7.9 - No Captcha IP Spoofing - XSS - Bypass Vulnerability - 180219 -- REPOST - WP – https://t.co/9O8jK5S5pC.
Timeline
Published on: 09/16/2022 09:15:00 UTC
Last modified on: 09/20/2022 17:44:00 UTC