Security Bug

  • Resolved littleideasbigdreams

    (@littleideasbigdreams)


    1 year, 4 months ago

    Hi Robert Peake and contributors, I love your plugin and just wanted to notify you of a bug I have found. It seems that with the login no captcha V2 at the Woocommerce registration form, the default Woocommerce password security feature no longer works. Meaning the “Register” button remains greyed out for “very weak” and “weak” passwords as it should, however if the button is clicked the form is submitted and the user is registered to the site anyway. When the plugin is disabled the security functionality returns to how it should be where when the button is greyed out the form cannot be submitted. Love the plugin and cheers.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Robert Peake

    (@robertpeake)

    Thanks for this.

    It seems WordPress Core’s security check for weak passwords is only enforced via javascript on the front-end by disabling the submit button.

    The captcha plugin, by contrast, only disables/enables the button as a convenience–checking is always done on the back end for security reasons.

    Unfortunately, I am not aware of any way to make the on/off button locking compatible with what WordPress Core is doing, as they seem to simply turn it off or on–rather than emitting a signal that could be caught by the captcha plugin to ensure that both the captcha and the strong password criteria are met.

    Locking a button via javascript is never a secure way to enforce anything as it can easily be unlocked a user with a small amount of html/js knowledge. As a result, this issue stems from a decision made by WordPress Core to enforce strong passwords in an insecure way.

    I appreciate you taking the time to report this, and if you know of a way to remedy it via change to the plugin we would welcome a pull request: https://github.com/cyberscribe/login-recaptcha/ – otherwise you may wish to file a bug report with WordPress Core https://make.www.ads-software.com/core/handbook/testing/reporting-bugs/ (though, be warned, in my experience they are very defensive about their design decisions and unlikely to remedy this).

    Thread Starter littleideasbigdreams

    (@littleideasbigdreams)

    Hi Robert, I understand thank you for taking the time to explain this. Unfortunately I do not know of any solution, however if it is any consolation I know that other plugins that have similar functionality to yours do not have this same issue, such as the plugin named “Advanced Google reCAPTCHA”. Not sure if that does any good, but figured I would mention it in case. Thank you and all the best!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Security Bug’ is closed to new replies.