For our 20th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Conditional CAPTCHA.

If you are not yet a customer of the service, once you sign up for the service as a paying customer you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.

The review was done on version 4.0.0 of Conditional CAPTCHA. We checked for the following issues during this review:

• Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
• Deserialization of untrusted data
• Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
• Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
• Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
• SQL injection vulnerabilities (the code that handles requests to the database)
• Reflected cross-site scripting (XSS) vulnerabilities
• Security issues with functions accessible through any of the plugin’s shortcodes
• Security issues with functions accessible through the admin_action action
• Security issues with functions accessible through the admin_init action
• Security issues with import/export functionality
• Security issues with usage of is_admin()
• Security issues with usage of add_option(), delete_option(), and update_option()
• Host header injection vulnerabilities
• Lack of protection against unintended direct access of PHP files
• Insecure and unwarranted requests to third-party websites
• Any additional possible issues identified by our Plugin Security Checker

Results

We found one issue, it is not something we check for as part of the review, but we noticed it when checking for reflected cross-site scripting (XSS) vulnerabilities. We notified the developer of the issue a week ago, but we haven’t heard back from them and no changes have been made to the plugin yet.

Arbitrary Comment Approval

In the plugin’s code that handles what do if the CAPTCHA is entered correctly, the code will take an action with the comment specified by the plugin’s settings. One option is to approve the comment. The problem with this comes from the fact that the code as shown below, takes the action against with a comment specified by user input, the POST input “trashed_id”, and doesn’t actually check if the comment the action is being taken with is the one that lead to the CAPTCHA being shown, so this can be abused to, for example, approve any comment that was previously intentionally trashed.

318
319
320
321

if( $stored = get_comment( $_POST['trashed_id'] ) ) {
	// change status. this will call wp_notify_postauthor if set to approve
	// note, newer versions of Akismet will not register a false positive just from the status transition, because it explicitly checks to make sure the change was not made by a plugin
	wp_set_comment_status( $stored->comment_ID, $this->options['pass_action'] );