Changeset 3063866

Timestamp:

04/03/2024 03:18:19 PM (21 months ago)

Author:

wfryan

Message:

1.1.11 - April 3, 2024

• Fix: Revised the behavior of the reCAPTCHA verification to use the documented expiration period of the token and response to avoid sending verification requests too frequently, which could artificially lower scores in some circumstances

Location:

wordfence-login-security

Files:

• tags/1.1.11 (copied) (copied from wordfence-login-security/trunk)
• tags/1.1.11/classes/controller/captcha.php (modified) (1 diff)
• tags/1.1.11/classes/controller/users.php (modified) (2 diffs)
• tags/1.1.11/classes/controller/wordfencels.php (modified) (1 diff)
• tags/1.1.11/css/admin-global.1710170444.css (deleted)
• tags/1.1.11/css/admin-global.1712157269.css (added)
• tags/1.1.11/css/admin.1710170444.css (deleted)
• tags/1.1.11/css/admin.1712157269.css (added)
• tags/1.1.11/css/colorbox.1710170444.css (deleted)
• tags/1.1.11/css/colorbox.1712157269.css (added)
• tags/1.1.11/css/embedded.1710170444.css (deleted)
• tags/1.1.11/css/embedded.1712157269.css (added)
• tags/1.1.11/css/font-awesome.1710170444.css (deleted)
• tags/1.1.11/css/font-awesome.1712157269.css (added)
• tags/1.1.11/css/ionicons.1710170444.css (deleted)
• tags/1.1.11/css/ionicons.1712157269.css (added)
• tags/1.1.11/css/jquery-ui.min.1710170444.css (deleted)
• tags/1.1.11/css/jquery-ui.min.1712157269.css (added)
• tags/1.1.11/css/jquery-ui.structure.min.1710170444.css (deleted)
• tags/1.1.11/css/jquery-ui.structure.min.1712157269.css (added)
• tags/1.1.11/css/jquery-ui.theme.min.1710170444.css (deleted)
• tags/1.1.11/css/jquery-ui.theme.min.1712157269.css (added)
• tags/1.1.11/css/login.1710170444.css (deleted)
• tags/1.1.11/css/login.1712157269.css (added)
• tags/1.1.11/css/wfselect2.min.1710170444.css (deleted)
• tags/1.1.11/css/wfselect2.min.1712157269.css (added)
• tags/1.1.11/css/woocommerce-account.1710170444.css (deleted)
• tags/1.1.11/css/woocommerce-account.1712157269.css (added)
• tags/1.1.11/js/admin-global.1710170444.js (deleted)
• tags/1.1.11/js/admin-global.1712157269.js (added)
• tags/1.1.11/js/admin.1710170444.js (deleted)
• tags/1.1.11/js/admin.1712157269.js (added)
• tags/1.1.11/js/chart.umd.1710170444.js (deleted)
• tags/1.1.11/js/chart.umd.1712157269.js (added)
• tags/1.1.11/js/jquery.colorbox.1710170444.js (deleted)
• tags/1.1.11/js/jquery.colorbox.1712157269.js (added)
• tags/1.1.11/js/jquery.colorbox.min.1710170444.js (deleted)
• tags/1.1.11/js/jquery.colorbox.min.1712157269.js (added)
• tags/1.1.11/js/jquery.qrcode.min.1710170444.js (deleted)
• tags/1.1.11/js/jquery.qrcode.min.1712157269.js (added)
• tags/1.1.11/js/jquery.tmpl.min.1710170444.js (deleted)
• tags/1.1.11/js/jquery.tmpl.min.1712157269.js (added)
• tags/1.1.11/js/login.1710170444.js (deleted)
• tags/1.1.11/js/login.1712157269.js (added)
• tags/1.1.11/js/wfselect2.min.1710170444.js (deleted)
• tags/1.1.11/js/wfselect2.min.1712157269.js (added)
• tags/1.1.11/languages/wordfence-login-security.pot (modified) (7 diffs)
• tags/1.1.11/readme.txt (modified) (2 diffs)
• tags/1.1.11/wordfence-login-security.php (modified) (2 diffs)
• trunk/classes/controller/captcha.php (modified) (1 diff)
• trunk/classes/controller/users.php (modified) (2 diffs)
• trunk/classes/controller/wordfencels.php (modified) (1 diff)
• trunk/css/admin-global.1710170444.css (deleted)
• trunk/css/admin-global.1712157269.css (added)
• trunk/css/admin.1710170444.css (deleted)
• trunk/css/admin.1712157269.css (added)
• trunk/css/colorbox.1710170444.css (deleted)
• trunk/css/colorbox.1712157269.css (added)
• trunk/css/embedded.1710170444.css (deleted)
• trunk/css/embedded.1712157269.css (added)
• trunk/css/font-awesome.1710170444.css (deleted)
• trunk/css/font-awesome.1712157269.css (added)
• trunk/css/ionicons.1710170444.css (deleted)
• trunk/css/ionicons.1712157269.css (added)
• trunk/css/jquery-ui.min.1710170444.css (deleted)
• trunk/css/jquery-ui.min.1712157269.css (added)
• trunk/css/jquery-ui.structure.min.1710170444.css (deleted)
• trunk/css/jquery-ui.structure.min.1712157269.css (added)
• trunk/css/jquery-ui.theme.min.1710170444.css (deleted)
• trunk/css/jquery-ui.theme.min.1712157269.css (added)
• trunk/css/login.1710170444.css (deleted)
• trunk/css/login.1712157269.css (added)
• trunk/css/wfselect2.min.1710170444.css (deleted)
• trunk/css/wfselect2.min.1712157269.css (added)
• trunk/css/woocommerce-account.1710170444.css (deleted)
• trunk/css/woocommerce-account.1712157269.css (added)
• trunk/js/admin-global.1710170444.js (deleted)
• trunk/js/admin-global.1712157269.js (added)
• trunk/js/admin.1710170444.js (deleted)
• trunk/js/admin.1712157269.js (added)
• trunk/js/chart.umd.1710170444.js (deleted)
• trunk/js/chart.umd.1712157269.js (added)
• trunk/js/jquery.colorbox.1710170444.js (deleted)
• trunk/js/jquery.colorbox.1712157269.js (added)
• trunk/js/jquery.colorbox.min.1710170444.js (deleted)
• trunk/js/jquery.colorbox.min.1712157269.js (added)
• trunk/js/jquery.qrcode.min.1710170444.js (deleted)
• trunk/js/jquery.qrcode.min.1712157269.js (added)
• trunk/js/jquery.tmpl.min.1710170444.js (deleted)
• trunk/js/jquery.tmpl.min.1712157269.js (added)
• trunk/js/login.1710170444.js (deleted)
• trunk/js/login.1712157269.js (added)
• trunk/js/wfselect2.min.1710170444.js (deleted)
• trunk/js/wfselect2.min.1712157269.js (added)
• trunk/languages/wordfence-login-security.pot (modified) (7 diffs)
• trunk/readme.txt (modified) (1 diff)
• trunk/wordfence-login-security.php (modified) (2 diffs)

wordfence-login-security/tags/1.1.11/classes/controller/captcha.php

@@ -99 +99 @@
                 $jsonResponse = wp_remote_retrieve_body($response);
                 $decoded = @json_decode($jsonResponse, true);
-                if (is_array($decoded) && isset($decoded['success']) && isset($decoded['score']) && isset($decoded['action'])) {
-                    if ($decoded['success'] && $decoded['action'] == $action) {
-                        return (float) $decoded['score'];
+                if (is_array($decoded) && isset($decoded['success'])) {
+                    if ($decoded['success']) {
+                        if (isset($decoded['score']) && isset($decoded['action']) && $decoded['action'] == $action) {
+                            return (float) $decoded['score'];
+                        }
                     }
                     return false;

wordfence-login-security/tags/1.1.11/classes/controller/users.php

@@ -15 +15 @@
     const META_KEY_ALLOW_GRACE_PERIOD = 'wfls-allow-grace-period';
     const META_KEY_VERIFICATION_TOKENS = 'wfls-verification-tokens';
+    const META_KEY_CAPTCHA_SCORES = 'wfls-captcha-scores';
     const VERIFICATION_TOKEN_BYTES = 64;
     const VERIFICATION_TOKEN_LIMIT = 5; //Max number of concurrent tokens
     const VERIFICATION_TOKEN_TRANSIENT_PREFIX = 'wfls_verify_';
+    const CAPTCHA_SCORE_LIMIT = 2; //Max number of captcha scores cached
+    const CAPTCHA_SCORE_TRANSIENT_PREFIX = 'wfls_captcha_';
+    const CAPTCHA_SCORE_CACHE_DURATION = 60; //seconds
     const LARGE_USER_BASE_THRESHOLD = 1000;
     const TRUNCATED_ROLE_KEY = 1;
@@ -949 +953 @@
         return $userId !== null && ($user === null || $userId === $user->ID);
     }
+    
+    /**
+     * Returns the key used to store a captcha score transient.
+     * 
+     * @param string $hash
+     * @return string
+     */
+    private function get_captcha_score_transient_key($hash) {
+        return self::CAPTCHA_SCORE_TRANSIENT_PREFIX . $hash;
+    }
+    
+    /**
+     * Attempts to look up a stored captcha score for the given hash and user. If found, returns the score. If not, 
+     * returns null.
+     * 
+     * @param string $hash
+     * @param \WP_User $user
+     * @return float|false
+     */
+    private function load_captcha_score($hash, $user) {
+        $key = $this->get_captcha_score_transient_key($hash);
+        $data = get_transient($key);
+        if ($data === false) {
+            return false;
+        }
+        
+        if (!$user->exists() || $data['user'] !== $user->ID) {
+            return false;
+        }
+        
+        return floatval($data['score']);
+    }
+    
+    /**
+     * Deletes the stored captcha score if present for the given hash.
+     * 
+     * @param string $hash
+     */
+    private function clear_captcha_score($token, $user) {
+        $hash = $this->hash_captcha_token($token);
+        $key = $this->get_captcha_score_transient_key($hash);
+        delete_transient($key);
+        
+        $storedHashes = get_user_meta($user->ID, self::META_KEY_CAPTCHA_SCORES, true);
+        $validHashes = array();
+        if (is_array($storedHashes)) {
+            foreach ($storedHashes as $hash) {
+                $storedScore = $this->load_captcha_score($hash, $user);
+                if ($storedScore !== false) {
+                    $validHashes[] = $hash;
+                }
+            }
+        }
+        $validHashes = array_slice($validHashes, 0, self::CAPTCHA_SCORE_LIMIT);
+        update_user_meta($user->ID, self::META_KEY_CAPTCHA_SCORES, $validHashes);
+    }
+    
+    /**
+     * Hashes the captcha token for storage.
+     * 
+     * @param string $token
+     * @return string
+     */
+    private function hash_captcha_token($token) {
+        return wp_hash($token);
+    }
+    
+    /**
+     * Returns the cached score for the given captcha score and user if available. This action removes it from the cache
+     * since the intent is for it only to be used for the initial login request to validate credentials + the follow-up
+     * request either finalizing the login (no 2FA set) or with the 2FA token.
+     * 
+     * $expired will be set to `true` if the reason for returning `false` is because the $token is recently expired. It
+     * will be false when the $token is either uncached or has been expired long enough to be removed from the internal
+     * list.
+     * 
+     * @param string $token
+     * @param \WP_User $user
+     * @param bool $expired
+     * @return float|false
+     */
+    public function cached_captcha_score($token, $user, &$expired = false) {
+        $hash = $this->hash_captcha_token($token);
+        $score = $this->load_captcha_score($hash, $user);
+        if ($score === false) {
+            $storedHashes = get_user_meta($user->ID, self::META_KEY_CAPTCHA_SCORES, true);
+            if (is_array($storedHashes)) {
+                $expired = in_array($hash, $storedHashes);
+            }
+        }
+        
+        $this->clear_captcha_score($token, $user);
+        return $score;
+    }
+    
+    /**
+     * Caches the $token/$score pair for $user, automatically pruning its cached list to the maximum allowable count
+     * 
+     * @param string $token
+     * @param float|false $score
+     * @param \WP_User $user
+     */
+    public function cache_captcha_score($token, $score, $user) {
+        if ($score === false) {
+            return;
+        }
+        
+        $storedHashes = get_user_meta($user->ID, self::META_KEY_CAPTCHA_SCORES, true);
+        $validHashes = array();
+        if (is_array($storedHashes)) {
+            foreach ($storedHashes as $hash) {
+                $storedScore = $this->load_captcha_score($hash, $user);
+                if ($storedScore !== false) {
+                    $validHashes[] = $hash;
+                }
+            }
+        }
+        
+        $hash = $this->hash_verification_token($token);
+        array_unshift($validHashes, $hash);
+        while (count($validHashes) > self::CAPTCHA_SCORE_LIMIT) {
+            $excessHash = array_pop($validHashes);
+            delete_transient($this->get_captcha_score_transient_key($excessHash));
+        }
+        
+        $key = $this->get_captcha_score_transient_key($hash);
+        set_transient($key, array('user' => $user->ID, 'score' => $score), self::CAPTCHA_SCORE_CACHE_DURATION);
+        update_user_meta($user->ID, self::META_KEY_CAPTCHA_SCORES, $validHashes);
+    }
 
     public function get_user_count() {

wordfence-login-security/tags/1.1.11/classes/controller/wordfencels.php

@@ -636 +636 @@
             $score = false;
             if ($requireCAPTCHA && !$performVerification) {
-                $score = Controller_CAPTCHA::shared()->score($token);
+                $expired = false;
+                if (is_object($user) && $user instanceof \WP_User) {
+                    $score = Controller_Users::shared()->cached_captcha_score($token, $user, $expired);
+                }
+                
+                if ($score === false) {
+                    if ($expired) {
+                        return new \WP_Error('wfls_captcha_expired', wp_kses(__('<strong>CAPTCHA EXPIRED</strong>: The CAPTCHA verification for this login attempt has expired. Please try again.', 'wordfence-login-security'), array('strong'=>array())));
+                    }
+                    
+                    $score = Controller_CAPTCHA::shared()->score($token);
+                    
+                    if ($score !== false && is_object($user) && $user instanceof \WP_User) {
+                        Controller_Users::shared()->cache_captcha_score($token, $score, $user);
+                        Controller_Users::shared()->record_captcha_score($user, $score);
+                    }
+                }
+                
                 if ($score === false && !Controller_CAPTCHA::shared()->test_mode()) { //An invalid token will require additional verification (if test mode is not active)
                     $performVerification = true;
-                }
-                else if (is_object($user) && $user instanceof \WP_User) {
-                    Controller_Users::shared()->record_captcha_score($user, $score);
                 }
             }

wordfence-login-security/tags/1.1.11/languages/wordfence-login-security.pot

@@ -3 +3 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: Wordfence Login Security 1.1.10\n"
-"Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/wordfence-login-security-zip-Cjy0sfiYR\n"
+"Project-Id-Version: Wordfence Login Security 1.1.11\n"
+"Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/wordfence-login-security-zip-eZqOVC21Q\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <[email protected]>\n"
@@ -10 +10 @@
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2024-03-11T15:20:44+00:00\n"
+"POT-Creation-Date: 2024-04-03T15:14:29+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.7.1\n"
@@ -265 +265 @@
 msgstr ""
 
-#: classes/controller/users.php:517
+#: classes/controller/users.php:521
 #: classes/controller/wordfencels.php:486
 msgid "2FA Status"
 msgstr ""
 
-#: classes/controller/users.php:521
+#: classes/controller/users.php:525
 msgid "Last Login"
 msgstr ""
 
-#: classes/controller/users.php:523
+#: classes/controller/users.php:527
 msgid "Last CAPTCHA"
 msgstr ""
 
-#: classes/controller/users.php:533
+#: classes/controller/users.php:537
 msgid "Not Allowed"
 msgstr ""
 
-#: classes/controller/users.php:538
+#: classes/controller/users.php:542
 #: classes/controller/wordfencels.php:490
 msgid "Active"
 msgstr ""
 
-#: classes/controller/users.php:541
+#: classes/controller/users.php:545
 msgid "Inactive<small class=\"wfls-sub-status\">(Grace Period)</small>"
 msgstr ""
 
-#: classes/controller/users.php:544
+#: classes/controller/users.php:548
 msgid "Locked Out<small class=\"wfls-sub-status\">(Grace Period Disabled)</small>"
 msgstr ""
 
-#: classes/controller/users.php:544
+#: classes/controller/users.php:548
 msgid "Locked Out<small class=\"wfls-sub-status\">(Grace Period Exceeded)</small>"
 msgstr ""
 
-#: classes/controller/users.php:547
+#: classes/controller/users.php:551
 #: classes/controller/wordfencels.php:490
 msgid "Inactive"
 msgstr ""
 
-#: classes/controller/users.php:560
+#: classes/controller/users.php:564
 msgid "(not required)"
 msgstr ""
 
-#: classes/controller/users.php:654
+#: classes/controller/users.php:658
 msgid "Edit two-factor authentication for %s"
 msgstr ""
 
-#: classes/controller/users.php:654
+#: classes/controller/users.php:658
 #: views/settings/options.php:9
 msgid "2FA"
 msgstr ""
 
-#: classes/controller/users.php:665
+#: classes/controller/users.php:669
 #: views/settings/user-stats.php:25
 msgid "2FA Active"
 msgstr ""
 
-#: classes/controller/users.php:666
+#: classes/controller/users.php:670
 #: views/settings/user-stats.php:26
 msgid "2FA Inactive"
@@ -442 +442 @@
 
 #: classes/controller/wordfencels.php:490
-#: classes/controller/wordfencels.php:855
+#: classes/controller/wordfencels.php:869
 #: views/manage/grace-period.php:22
 msgid "Locked Out"
@@ -500 +500 @@
 msgstr ""
 
-#: classes/controller/wordfencels.php:671
+#: classes/controller/wordfencels.php:645
+msgid "<strong>CAPTCHA EXPIRED</strong>: The CAPTCHA verification for this login attempt has expired. Please try again."
+msgstr ""
+
+#: classes/controller/wordfencels.php:685
 msgid "Login Verification Required"
 msgstr ""
 
-#: classes/controller/wordfencels.php:676
+#: classes/controller/wordfencels.php:690
 msgid "<strong>VERIFICATION REQUIRED</strong>: Additional verification is required for login. If there is a valid account for the provided login credentials, please check the email address associated with it for a verification link to continue logging in."
 msgstr ""
 
-#: classes/controller/wordfencels.php:692
+#: classes/controller/wordfencels.php:706
 msgid "<strong>CODE INVALID</strong>: The 2FA code provided is either expired or invalid. Please try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:701
+#: classes/controller/wordfencels.php:715
 msgid "<strong>CODE REQUIRED</strong>: Please enter your 2FA code immediately after your password in the same field."
 msgstr ""
 
-#: classes/controller/wordfencels.php:703
+#: classes/controller/wordfencels.php:717
 msgid "<strong>CODE REQUIRED</strong>: Please provide your 2FA code when prompted."
 msgstr ""
 
-#: classes/controller/wordfencels.php:706
+#: classes/controller/wordfencels.php:720
 msgid "<strong>LOGIN BLOCKED</strong>: 2FA is required to be active on your account. Please contact the site administrator."
 msgstr ""
 
-#: classes/controller/wordfencels.php:709
+#: classes/controller/wordfencels.php:723
 msgid "You do not currently have two-factor authentication active on your account, which will be required beginning %s. <a href=\"%s\">Configure 2FA</a>"
 msgstr ""
 
-#: classes/controller/wordfencels.php:759
+#: classes/controller/wordfencels.php:773
 msgid "Email verification succeeded. Please continue logging in."
 msgstr ""
 
-#: classes/controller/wordfencels.php:762
+#: classes/controller/wordfencels.php:776
 msgid "Email verification invalid or expired. Please try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:816
-#: classes/controller/wordfencels.php:819
+#: classes/controller/wordfencels.php:830
+#: classes/controller/wordfencels.php:833
 msgid "Login Security"
 msgstr ""
 
-#: classes/controller/wordfencels.php:847
+#: classes/controller/wordfencels.php:861
 #: views/settings/options.php:23
 #: views/settings/user-stats.php:33
@@ -547 +551 @@
 msgstr ""
 
-#: classes/controller/wordfencels.php:851
+#: classes/controller/wordfencels.php:865
 #: views/manage/grace-period.php:22
 #: views/options/option-roles.php:57
@@ -553 +557 @@
 msgstr ""
 
-#: classes/controller/wordfencels.php:870
+#: classes/controller/wordfencels.php:884
 msgid "Users without 2FA active (%s)"
 msgstr ""
 
-#: classes/controller/wordfencels.php:888
-#: classes/controller/wordfencels.php:889
+#: classes/controller/wordfencels.php:902
+#: classes/controller/wordfencels.php:903
 msgid "Two-Factor Authentication"
 msgstr ""
 
-#: classes/controller/wordfencels.php:889
+#: classes/controller/wordfencels.php:903
 msgid "Learn more<span class=\"wfls-hidden-xs\"> about Two-Factor Authentication</span>"
 msgstr ""
 
-#: classes/controller/wordfencels.php:898
+#: classes/controller/wordfencels.php:912
 msgid "Settings"
 msgstr ""
 
-#: classes/controller/wordfencels.php:899
+#: classes/controller/wordfencels.php:913
 msgid "Login Security Settings"
 msgstr ""
 
-#: classes/controller/wordfencels.php:899
+#: classes/controller/wordfencels.php:913
 msgid "Learn more<span class=\"wfls-hidden-xs\"> about Login Security</span>"
 msgstr ""
 
-#: classes/controller/wordfencels.php:925
+#: classes/controller/wordfencels.php:939
 msgid "<strong>REGISTRATION ATTEMPT BLOCKED</strong>: This site requires a security token created when the page loads for all registration attempts. Please ensure JavaScript is enabled and try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:932
+#: classes/controller/wordfencels.php:946
 msgid "<strong>REGISTRATION ATTEMPT BLOCKED</strong>: The security token for the login attempt was invalid or expired. Please reload the page and try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:945
+#: classes/controller/wordfencels.php:959
 msgid "<strong>REGISTRATION BLOCKED</strong>: The registration request was blocked because it was flagged as spam. Please try again or <a href=\"#\" class=\"wfls-registration-captcha-contact\" data-token=\"%s\">contact the site owner</a> for help."
 msgstr ""
 
-#: classes/controller/wordfencels.php:948
+#: classes/controller/wordfencels.php:962
 msgid "<strong>REGISTRATION BLOCKED</strong>: The registration request was blocked because it was flagged as spam. Please try again or contact the site owner for help."
 msgstr ""
 
-#: classes/controller/wordfencels.php:1018
+#: classes/controller/wordfencels.php:1032
 msgid "Wordfence 2FA"
 msgstr ""

wordfence-login-security/tags/1.1.11/readme.txt

@@ -5 +5 @@
 Requires PHP: 5.5
 Tested up to: 6.5
-Stable tag: 1.1.10
+Stable tag: 1.1.11
 
 Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.
@@ -58 +58 @@
 
 == Changelog ==
+
+= 1.1.11 - April 3, 2024 =
+* Fix: Revised the behavior of the reCAPTCHA verification to use the documented expiration period of the token and response to avoid sending verification requests too frequently, which could artificially lower scores in some circumstances
 
 = 1.1.10 - March 11, 2024 =

wordfence-login-security/tags/1.1.11/wordfence-login-security.php

@@ -5 +5 @@
 Author: Wordfence
 Author URI: https://www.wordfence.com/
-Version: 1.1.10
+Version: 1.1.11
 Network: true
 Requires at least: 4.5
@@ -39 +39 @@
     define('WORDFENCE_LS_FROM_CORE', ($wfCoreActive && isset($wfCoreLoading) && $wfCoreLoading));
     
-    define('WORDFENCE_LS_VERSION', '1.1.10');
-    define('WORDFENCE_LS_BUILD_NUMBER', '1710170444');
+    define('WORDFENCE_LS_VERSION', '1.1.11');
+    define('WORDFENCE_LS_BUILD_NUMBER', '1712157269');
 
     define('WORDFENCE_LS_PLUGIN_BASENAME', plugin_basename(__FILE__));

wordfence-login-security/trunk/classes/controller/captcha.php

@@ -99 +99 @@
                 $jsonResponse = wp_remote_retrieve_body($response);
                 $decoded = @json_decode($jsonResponse, true);
-                if (is_array($decoded) && isset($decoded['success']) && isset($decoded['score']) && isset($decoded['action'])) {
-                    if ($decoded['success'] && $decoded['action'] == $action) {
-                        return (float) $decoded['score'];
+                if (is_array($decoded) && isset($decoded['success'])) {
+                    if ($decoded['success']) {
+                        if (isset($decoded['score']) && isset($decoded['action']) && $decoded['action'] == $action) {
+                            return (float) $decoded['score'];
+                        }
                     }
                     return false;

wordfence-login-security/trunk/classes/controller/users.php

@@ -15 +15 @@
     const META_KEY_ALLOW_GRACE_PERIOD = 'wfls-allow-grace-period';
     const META_KEY_VERIFICATION_TOKENS = 'wfls-verification-tokens';
+    const META_KEY_CAPTCHA_SCORES = 'wfls-captcha-scores';
     const VERIFICATION_TOKEN_BYTES = 64;
     const VERIFICATION_TOKEN_LIMIT = 5; //Max number of concurrent tokens
     const VERIFICATION_TOKEN_TRANSIENT_PREFIX = 'wfls_verify_';
+    const CAPTCHA_SCORE_LIMIT = 2; //Max number of captcha scores cached
+    const CAPTCHA_SCORE_TRANSIENT_PREFIX = 'wfls_captcha_';
+    const CAPTCHA_SCORE_CACHE_DURATION = 60; //seconds
     const LARGE_USER_BASE_THRESHOLD = 1000;
     const TRUNCATED_ROLE_KEY = 1;
@@ -949 +953 @@
         return $userId !== null && ($user === null || $userId === $user->ID);
     }
+    
+    /**
+     * Returns the key used to store a captcha score transient.
+     * 
+     * @param string $hash
+     * @return string
+     */
+    private function get_captcha_score_transient_key($hash) {
+        return self::CAPTCHA_SCORE_TRANSIENT_PREFIX . $hash;
+    }
+    
+    /**
+     * Attempts to look up a stored captcha score for the given hash and user. If found, returns the score. If not, 
+     * returns null.
+     * 
+     * @param string $hash
+     * @param \WP_User $user
+     * @return float|false
+     */
+    private function load_captcha_score($hash, $user) {
+        $key = $this->get_captcha_score_transient_key($hash);
+        $data = get_transient($key);
+        if ($data === false) {
+            return false;
+        }
+        
+        if (!$user->exists() || $data['user'] !== $user->ID) {
+            return false;
+        }
+        
+        return floatval($data['score']);
+    }
+    
+    /**
+     * Deletes the stored captcha score if present for the given hash.
+     * 
+     * @param string $hash
+     */
+    private function clear_captcha_score($token, $user) {
+        $hash = $this->hash_captcha_token($token);
+        $key = $this->get_captcha_score_transient_key($hash);
+        delete_transient($key);
+        
+        $storedHashes = get_user_meta($user->ID, self::META_KEY_CAPTCHA_SCORES, true);
+        $validHashes = array();
+        if (is_array($storedHashes)) {
+            foreach ($storedHashes as $hash) {
+                $storedScore = $this->load_captcha_score($hash, $user);
+                if ($storedScore !== false) {
+                    $validHashes[] = $hash;
+                }
+            }
+        }
+        $validHashes = array_slice($validHashes, 0, self::CAPTCHA_SCORE_LIMIT);
+        update_user_meta($user->ID, self::META_KEY_CAPTCHA_SCORES, $validHashes);
+    }
+    
+    /**
+     * Hashes the captcha token for storage.
+     * 
+     * @param string $token
+     * @return string
+     */
+    private function hash_captcha_token($token) {
+        return wp_hash($token);
+    }
+    
+    /**
+     * Returns the cached score for the given captcha score and user if available. This action removes it from the cache
+     * since the intent is for it only to be used for the initial login request to validate credentials + the follow-up
+     * request either finalizing the login (no 2FA set) or with the 2FA token.
+     * 
+     * $expired will be set to `true` if the reason for returning `false` is because the $token is recently expired. It
+     * will be false when the $token is either uncached or has been expired long enough to be removed from the internal
+     * list.
+     * 
+     * @param string $token
+     * @param \WP_User $user
+     * @param bool $expired
+     * @return float|false
+     */
+    public function cached_captcha_score($token, $user, &$expired = false) {
+        $hash = $this->hash_captcha_token($token);
+        $score = $this->load_captcha_score($hash, $user);
+        if ($score === false) {
+            $storedHashes = get_user_meta($user->ID, self::META_KEY_CAPTCHA_SCORES, true);
+            if (is_array($storedHashes)) {
+                $expired = in_array($hash, $storedHashes);
+            }
+        }
+        
+        $this->clear_captcha_score($token, $user);
+        return $score;
+    }
+    
+    /**
+     * Caches the $token/$score pair for $user, automatically pruning its cached list to the maximum allowable count
+     * 
+     * @param string $token
+     * @param float|false $score
+     * @param \WP_User $user
+     */
+    public function cache_captcha_score($token, $score, $user) {
+        if ($score === false) {
+            return;
+        }
+        
+        $storedHashes = get_user_meta($user->ID, self::META_KEY_CAPTCHA_SCORES, true);
+        $validHashes = array();
+        if (is_array($storedHashes)) {
+            foreach ($storedHashes as $hash) {
+                $storedScore = $this->load_captcha_score($hash, $user);
+                if ($storedScore !== false) {
+                    $validHashes[] = $hash;
+                }
+            }
+        }
+        
+        $hash = $this->hash_verification_token($token);
+        array_unshift($validHashes, $hash);
+        while (count($validHashes) > self::CAPTCHA_SCORE_LIMIT) {
+            $excessHash = array_pop($validHashes);
+            delete_transient($this->get_captcha_score_transient_key($excessHash));
+        }
+        
+        $key = $this->get_captcha_score_transient_key($hash);
+        set_transient($key, array('user' => $user->ID, 'score' => $score), self::CAPTCHA_SCORE_CACHE_DURATION);
+        update_user_meta($user->ID, self::META_KEY_CAPTCHA_SCORES, $validHashes);
+    }
 
     public function get_user_count() {

wordfence-login-security/trunk/classes/controller/wordfencels.php

@@ -636 +636 @@
             $score = false;
             if ($requireCAPTCHA && !$performVerification) {
-                $score = Controller_CAPTCHA::shared()->score($token);
+                $expired = false;
+                if (is_object($user) && $user instanceof \WP_User) {
+                    $score = Controller_Users::shared()->cached_captcha_score($token, $user, $expired);
+                }
+                
+                if ($score === false) {
+                    if ($expired) {
+                        return new \WP_Error('wfls_captcha_expired', wp_kses(__('<strong>CAPTCHA EXPIRED</strong>: The CAPTCHA verification for this login attempt has expired. Please try again.', 'wordfence-login-security'), array('strong'=>array())));
+                    }
+                    
+                    $score = Controller_CAPTCHA::shared()->score($token);
+                    
+                    if ($score !== false && is_object($user) && $user instanceof \WP_User) {
+                        Controller_Users::shared()->cache_captcha_score($token, $score, $user);
+                        Controller_Users::shared()->record_captcha_score($user, $score);
+                    }
+                }
+                
                 if ($score === false && !Controller_CAPTCHA::shared()->test_mode()) { //An invalid token will require additional verification (if test mode is not active)
                     $performVerification = true;
-                }
-                else if (is_object($user) && $user instanceof \WP_User) {
-                    Controller_Users::shared()->record_captcha_score($user, $score);
                 }
             }

wordfence-login-security/trunk/languages/wordfence-login-security.pot

@@ -3 +3 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: Wordfence Login Security 1.1.10\n"
-"Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/wordfence-login-security-zip-Cjy0sfiYR\n"
+"Project-Id-Version: Wordfence Login Security 1.1.11\n"
+"Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/wordfence-login-security-zip-eZqOVC21Q\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <[email protected]>\n"
@@ -10 +10 @@
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2024-03-11T15:20:44+00:00\n"
+"POT-Creation-Date: 2024-04-03T15:14:29+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.7.1\n"
@@ -265 +265 @@
 msgstr ""
 
-#: classes/controller/users.php:517
+#: classes/controller/users.php:521
 #: classes/controller/wordfencels.php:486
 msgid "2FA Status"
 msgstr ""
 
-#: classes/controller/users.php:521
+#: classes/controller/users.php:525
 msgid "Last Login"
 msgstr ""
 
-#: classes/controller/users.php:523
+#: classes/controller/users.php:527
 msgid "Last CAPTCHA"
 msgstr ""
 
-#: classes/controller/users.php:533
+#: classes/controller/users.php:537
 msgid "Not Allowed"
 msgstr ""
 
-#: classes/controller/users.php:538
+#: classes/controller/users.php:542
 #: classes/controller/wordfencels.php:490
 msgid "Active"
 msgstr ""
 
-#: classes/controller/users.php:541
+#: classes/controller/users.php:545
 msgid "Inactive<small class=\"wfls-sub-status\">(Grace Period)</small>"
 msgstr ""
 
-#: classes/controller/users.php:544
+#: classes/controller/users.php:548
 msgid "Locked Out<small class=\"wfls-sub-status\">(Grace Period Disabled)</small>"
 msgstr ""
 
-#: classes/controller/users.php:544
+#: classes/controller/users.php:548
 msgid "Locked Out<small class=\"wfls-sub-status\">(Grace Period Exceeded)</small>"
 msgstr ""
 
-#: classes/controller/users.php:547
+#: classes/controller/users.php:551
 #: classes/controller/wordfencels.php:490
 msgid "Inactive"
 msgstr ""
 
-#: classes/controller/users.php:560
+#: classes/controller/users.php:564
 msgid "(not required)"
 msgstr ""
 
-#: classes/controller/users.php:654
+#: classes/controller/users.php:658
 msgid "Edit two-factor authentication for %s"
 msgstr ""
 
-#: classes/controller/users.php:654
+#: classes/controller/users.php:658
 #: views/settings/options.php:9
 msgid "2FA"
 msgstr ""
 
-#: classes/controller/users.php:665
+#: classes/controller/users.php:669
 #: views/settings/user-stats.php:25
 msgid "2FA Active"
 msgstr ""
 
-#: classes/controller/users.php:666
+#: classes/controller/users.php:670
 #: views/settings/user-stats.php:26
 msgid "2FA Inactive"
@@ -442 +442 @@
 
 #: classes/controller/wordfencels.php:490
-#: classes/controller/wordfencels.php:855
+#: classes/controller/wordfencels.php:869
 #: views/manage/grace-period.php:22
 msgid "Locked Out"
@@ -500 +500 @@
 msgstr ""
 
-#: classes/controller/wordfencels.php:671
+#: classes/controller/wordfencels.php:645
+msgid "<strong>CAPTCHA EXPIRED</strong>: The CAPTCHA verification for this login attempt has expired. Please try again."
+msgstr ""
+
+#: classes/controller/wordfencels.php:685
 msgid "Login Verification Required"
 msgstr ""
 
-#: classes/controller/wordfencels.php:676
+#: classes/controller/wordfencels.php:690
 msgid "<strong>VERIFICATION REQUIRED</strong>: Additional verification is required for login. If there is a valid account for the provided login credentials, please check the email address associated with it for a verification link to continue logging in."
 msgstr ""
 
-#: classes/controller/wordfencels.php:692
+#: classes/controller/wordfencels.php:706
 msgid "<strong>CODE INVALID</strong>: The 2FA code provided is either expired or invalid. Please try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:701
+#: classes/controller/wordfencels.php:715
 msgid "<strong>CODE REQUIRED</strong>: Please enter your 2FA code immediately after your password in the same field."
 msgstr ""
 
-#: classes/controller/wordfencels.php:703
+#: classes/controller/wordfencels.php:717
 msgid "<strong>CODE REQUIRED</strong>: Please provide your 2FA code when prompted."
 msgstr ""
 
-#: classes/controller/wordfencels.php:706
+#: classes/controller/wordfencels.php:720
 msgid "<strong>LOGIN BLOCKED</strong>: 2FA is required to be active on your account. Please contact the site administrator."
 msgstr ""
 
-#: classes/controller/wordfencels.php:709
+#: classes/controller/wordfencels.php:723
 msgid "You do not currently have two-factor authentication active on your account, which will be required beginning %s. <a href=\"%s\">Configure 2FA</a>"
 msgstr ""
 
-#: classes/controller/wordfencels.php:759
+#: classes/controller/wordfencels.php:773
 msgid "Email verification succeeded. Please continue logging in."
 msgstr ""
 
-#: classes/controller/wordfencels.php:762
+#: classes/controller/wordfencels.php:776
 msgid "Email verification invalid or expired. Please try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:816
-#: classes/controller/wordfencels.php:819
+#: classes/controller/wordfencels.php:830
+#: classes/controller/wordfencels.php:833
 msgid "Login Security"
 msgstr ""
 
-#: classes/controller/wordfencels.php:847
+#: classes/controller/wordfencels.php:861
 #: views/settings/options.php:23
 #: views/settings/user-stats.php:33
@@ -547 +551 @@
 msgstr ""
 
-#: classes/controller/wordfencels.php:851
+#: classes/controller/wordfencels.php:865
 #: views/manage/grace-period.php:22
 #: views/options/option-roles.php:57
@@ -553 +557 @@
 msgstr ""
 
-#: classes/controller/wordfencels.php:870
+#: classes/controller/wordfencels.php:884
 msgid "Users without 2FA active (%s)"
 msgstr ""
 
-#: classes/controller/wordfencels.php:888
-#: classes/controller/wordfencels.php:889
+#: classes/controller/wordfencels.php:902
+#: classes/controller/wordfencels.php:903
 msgid "Two-Factor Authentication"
 msgstr ""
 
-#: classes/controller/wordfencels.php:889
+#: classes/controller/wordfencels.php:903
 msgid "Learn more<span class=\"wfls-hidden-xs\"> about Two-Factor Authentication</span>"
 msgstr ""
 
-#: classes/controller/wordfencels.php:898
+#: classes/controller/wordfencels.php:912
 msgid "Settings"
 msgstr ""
 
-#: classes/controller/wordfencels.php:899
+#: classes/controller/wordfencels.php:913
 msgid "Login Security Settings"
 msgstr ""
 
-#: classes/controller/wordfencels.php:899
+#: classes/controller/wordfencels.php:913
 msgid "Learn more<span class=\"wfls-hidden-xs\"> about Login Security</span>"
 msgstr ""
 
-#: classes/controller/wordfencels.php:925
+#: classes/controller/wordfencels.php:939
 msgid "<strong>REGISTRATION ATTEMPT BLOCKED</strong>: This site requires a security token created when the page loads for all registration attempts. Please ensure JavaScript is enabled and try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:932
+#: classes/controller/wordfencels.php:946
 msgid "<strong>REGISTRATION ATTEMPT BLOCKED</strong>: The security token for the login attempt was invalid or expired. Please reload the page and try again."
 msgstr ""
 
-#: classes/controller/wordfencels.php:945
+#: classes/controller/wordfencels.php:959
 msgid "<strong>REGISTRATION BLOCKED</strong>: The registration request was blocked because it was flagged as spam. Please try again or <a href=\"#\" class=\"wfls-registration-captcha-contact\" data-token=\"%s\">contact the site owner</a> for help."
 msgstr ""
 
-#: classes/controller/wordfencels.php:948
+#: classes/controller/wordfencels.php:962
 msgid "<strong>REGISTRATION BLOCKED</strong>: The registration request was blocked because it was flagged as spam. Please try again or contact the site owner for help."
 msgstr ""
 
-#: classes/controller/wordfencels.php:1018
+#: classes/controller/wordfencels.php:1032
 msgid "Wordfence 2FA"
 msgstr ""

wordfence-login-security/trunk/readme.txt

@@ -58 +58 @@
 
 == Changelog ==
+
+= 1.1.11 - April 3, 2024 =
+* Fix: Revised the behavior of the reCAPTCHA verification to use the documented expiration period of the token and response to avoid sending verification requests too frequently, which could artificially lower scores in some circumstances
 
 = 1.1.10 - March 11, 2024 =

wordfence-login-security/trunk/wordfence-login-security.php

@@ -5 +5 @@
 Author: Wordfence
 Author URI: https://www.wordfence.com/
-Version: 1.1.10
+Version: 1.1.11
 Network: true
 Requires at least: 4.5
@@ -39 +39 @@
     define('WORDFENCE_LS_FROM_CORE', ($wfCoreActive && isset($wfCoreLoading) && $wfCoreLoading));
     
-    define('WORDFENCE_LS_VERSION', '1.1.10');
-    define('WORDFENCE_LS_BUILD_NUMBER', '1710170444');
+    define('WORDFENCE_LS_VERSION', '1.1.11');
+    define('WORDFENCE_LS_BUILD_NUMBER', '1712157269');
 
     define('WORDFENCE_LS_PLUGIN_BASENAME', plugin_basename(__FILE__));