Metamorfosec Security Advisory METS-2019-003 Denial of Service in PS PHPCaptcha WP before v1.2.0 FIRST PUBLISHED: February 16, 2019 VERSION: 1.0 VENDOR: Peter Stimpel PRODUCT: PS PHPCaptcha WP VERSION AFFECTED: Before v1.2.0 CVE-ID: CVE-2019-7412 PRODUCT DESCRIPTION: (from WordPress Plugins Page: https://wordpress.org/plugins/ps-phpcaptcha/#description) If you are keen to provide your users kind of a tracking free environment, you would have to remove Google Recaptcha and other cloud based Captcha solutions from your WordPress installation. PS PHPCaptcha WP does not use any remote resources. This makes it fully GDPR compliant without any need to mention it in your privacy policy. To generate the image this plugin does not need to use the WordPress database and therefore IO of the database is very low. This very important if you run a site with high traffic. This plugin will create a captcha displaying a text, with the try to confuse OCR by drawing some random lines. FINDING: The PS PHPCaptcha WP plugin before v1.2.0 for WordPress mishandles sanitization of input values. Remote authenticated users could set $stringlength with large integer number leading to denial of service (preventing the creation of CAPTCHA) due to lack of checking the number of characters, i.e. $MinStringLength and $MaxStringLength are not defined. PROOF OF CONCEPT: 1. Login to WordPress 2. Install and activate PS PHPCaptcha WP before v1.2.0 (tested in v1.1.0) 3. Go to Settings-PSPHPCaptchaWP 4. In the Number of characters Field, please enter large integer number. For example, 10000000000000000. 5. Logout from WordPress 6. Go to the site, open the available post, and click Comment (browser will reload longer and CAPTCHA is not created) MITIGATION: Update to v1.2.0 or newer ADVISORY TIMELINE: Jan 19, 2019 - First contact to developer and got a response Jan 20, 2019 - Developer released v1.2.0 Jan 21, 2019 - Requested a CVE-ID Feb 6, 2019 - Received a CVE-ID (CVE-2019-7412) Feb 16, 2019 - Published this advisory (v1.0) REVISION HISTORY: Version 1.0 (Feb 16, 2019) - First release REFERENCES: https://wordpress.org/plugins/ps-phpcaptcha/#developers https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7412 DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.