I’ve recently received an email asking me to fix some Captcha! vulnerabilities that will allow spammers to enter automated spam comments. Such supposed vulnerabilities where published on a
Russian Ukranian blog.
Basically, CSRF means you visit an insecure website while logged in into our WordPress blog. If so, and the site is prepared specifically for you (that is, the hacker knows you’re going to browse him while being logged into xxyyzz.com and your’re the admin of xxyyzz.com) then he could create a malicious page to change your WP configuration (Captcha! included) awaiting for you to browse it.
Using this (rather improbable and really tricky) technique, visiting a hackers site can change Captcha! code length to 0, which disables it: Captcha! won’t check 0-length codes. The sames applies for XSS (the second vulnerability).
Protecting against CSRF
This has been fixed on version 2.6 (now avaliable for download).
For previous versions, the best protection against CSRF is to logout your WP site before browsing an insecure web site. If you tend to check the “Remember me” check box when logging in, don’t use it.
How will this impact me?
You can relax. There’s nothing dangerous to fix, and Captcha! is safe. Simply ugprade to the latest version.