In the monitoring we do to keep track of vulnerabilities in WordPress plugins for this service one thing we have noticed is that developers are not always providing full or consistent information on new version of plugins. For version 1.3.1 of the plugin CF7 Invisible reCAPTCHA the changelog entry is “Minor bug fix: Resolved the caching issue.”. The development log entry for that version indicates something different, “Security Update in Cf7 Invisible reCAPTCHA”. In looking over the new version to see if there was a vulnerability being fixed in that version what we saw was there was a significant amount of changes that were made, which seems out of line with the changelog entry description of the change being made.

Due to the amount of changes it makes it a bit hard to figure out if there was a vulnerability fixed and we didn’t find something in our look over it. But we did see a reflected cross-site scripting (XSS) vulnerability that was introduced in that version. [Read more]