Altcha is a privacy-focused alternative to reCAPTCHA. This extension promises to eliminate tracking, cookies, and fingerprinting, offering robust, accessible, and globally compliant security without any complicated setup.
Their service is 100% self-hosted, with no external requests or data sharing. You can find version 2 of this extension at https://github.com/altcha-org/altcha-wordpress-next/releases.
This version 2 isn’t on wp.org because it’s no longer open-source and therefore incompatible with WordPress rules. Agencies are already starting to abandon this extension. (It’s likely to get worse by the end of this article).
However, this plugin also appears to have multiple vulnerabilities that its developers ignored after I informed them by email.
Insecure Direct Object Reference (IDOR) via Missing Nonce
Location: /includes/admin/actions.php#L31
Issue: There is no nonce validation, only the role of the logged in user, which is not enough et leads to CSRF flaws.
Impact: It’s simple to force an admin to execute code where only their role is needed to run it.
Severity: CVSS v3.1: 3.5 (Low)
More: It’s a serious issue not to use a security token in a WordPress plugin. The score remains low because the problem lies in its implementation; the plugin itself isn’t the issue. WordPress already provides native support for managing them if you include them in your settings form via the settings API, so it’s a shame not to use them.
Any free, dumb generative AI like ChatGPT is capable of detecting that vulnerability.
CSRF #1, #2, #3
Location: /includes/admin/actions.php#L42-91 (les 3 fonctions de “set”)
Issue: Since altcha_ajax_check_access() does not contain a security nonce token, it is therefore possible to force an admin to validate POST data without their knowledge via a hidden POST form on a page; it is simple to make them visit the page so that the form is sent blindly and validates the data since they are logged in and have the right role (the power), but lack the token (the will).
Impact: An attacker can force an admin to edit any setting from the plugin.
Severity: CVSS v3.1: 9.5 (Very High)
More: The plugin settings include the ability to ignore the captcha based on the presence of certain cookies, or to validate IP addresses or paths, to modify the license (to invalidate it, for example), and to change the “under attack” parameter to “false”. The attacker can therefore specify what suits them best to bypass the implemented security measures.
csrf
Timing Side-Channel Attack on Signature Check
Location: /includes/plugin.php#L1260, 1298, 1300
Issue: Hashes comparisons using === instead of hash_equals(), which is vulnerable to timing attacks..
Impact: An attacker can brute-force the hash char by char.
Severity: CVSS v3.1: 3.7 (Low)
More: Timing attacks on keys like these will be long and costly, the exploit remains trivial, but the vulnerability is there.
triple equal
Insufficient Entropy #1
Location: includes/plugin.php#L836
Issue: Generated hash only uses 12 bytes (=96 bits), which is inferior to the recommandationsof 128 bits minimum.
Impact: The attacks are simpler to perform, especially the timing attack and the brute force.
Severity: CVSS v3.1: 3.7 (Low)
12bytes only
Insufficient Entropy #2
Location: includes/plugin.php#463-473
Issue: Fonction get_edk() exposes informations based on IP and User-Agent via predictable hashes. It does not include any randomness (time() is not random!)
Impact: An attacker can:
- Predict another user’s hash by knowing their IP address and user agent.
- Reuse the same hash all day (rounded time).
- Perform collision attacks (truncated hashes of 16 characters each).
- Bypass EDK-based rate limiting by generating valid hashes.
- Impersonate another user in the rate limiting system.
Severity: CVSS v3.1: 5.9 (Medium)
More: It is true that developing crypto is not easy, we don’t have the right ways of doing it in mind if we are not in the field, it is possible to get help from AI at this level, give context and the code should be usable but of course needs to be tested.
lack entropy
Race Condition
Location: includes/plugin.php#1129-1170
Issue: The `rate_limit()` function uses WordPress transients without atomic locking, allowing for race conditions. Two simultaneous queries can bypass the rate limit by executing between `get_transient()` and `set_transient()`. Therefore, manual locking of SQL queries with a single final `COMMIT` is missing.
Impact: An attacker can send parallel requests to bypass the limits, and thus bypass the captcha.
Severity: CVSS v3.1: 5.3 (Medium)
race cond
IP Spoofing via X-Forwarded-For (Trust Boundary Violation)
Location: includes/plugin.php#L581-614
Issue: The HTTP X-Forwarded-For header is used to determine the client’s IP address without sufficient validation by default. However, the trustedProxies list is empty by default, so the condition on line 605 is never executed.
Impact: An attacker can send an arbitrary X-Forwarded-For header with value 1.2.3.4 to spoof the IP address that will be read, and change it on the next request. With this, they can, for example:
- Bypass Rate Limiting: The attacker can change their IP address with each request to avoid limits.
- Bypass Firewalls: Bypass IP blocking (
blockIps). - Gain Unauthorized Access: Spoof a whitelisted IP address (
bypassIps). - Log Pollution: Fake IP addresses in analytics.
- Bypass Under Attack Mode: The IP hash (
get_ip_address_hash()) can be manipulated.
Severity: CVSS v3.1: 3.1 (Low)
More: IP hash protection is ineffective because the IP address used to generate the hash can be controlled by the attacker via X-Forwarded-For. Therefore, the “Under Attack” mode loses its effectiveness.
get ip and spoof me
Overall risk score for the entire extension: 5/10 (Medium)
It is recommended not to use this plugin in production until these vulnerabilities are patched.
SecuPress already tags this extension as vulnerable, Patchstack will follow, etc.
In 2025, for a small plugin like this, you could easily get help from competent AI like CursorAI with Opus 4.5 and Sonnet 4.5 (not Composer for security auditing, nor Gemini 3 Pro) for development, optimization, and security; many of these vulnerabilities would have been avoided.
