Skip to main content

Captcha Changelog

Version: 1.6.0 - Released on 2026-05-27

  • Fix: Checkout requests now stop retrying when the CAPTCHA verification is blocked, preventing checkout lockouts in strict CSP environments.

Version: 1.5.3 - Released on 2026-05-25

  • Fix: Cap captcha now waits correctly when the signup widget is injected later in multi-step flows, preventing token-timeout failures.
  • Improved: End-to-end test coverage now includes a regression guard for multi-step waitForToken behavior.

Version: 1.5.2 - Released on 2026-05-25

  • Fix: Cap captcha invisible-mode signup no longer crashes with Cannot read properties of null (reading 'token') when the <cap-widget> element is not yet in the DOM (e.g. WP Ultimo Vue signup form). The token-resolver now null-guards the widget in the fast-path check, allowing the polling loop to wait for the widget to render.

Version: 1.5.1 - Released on 2026-05-23

  • Fix: Cap captcha checkout now waits for the token before submitting, preventing empty form submissions on WooCommerce checkout.
  • Fix: Cap captcha loader now preserves its query arguments, so the WASM assets resolve correctly.

Version: 1.4.2-beta.1 - Released on 2026-05-09

  • Fixed: Cap captcha invisible-mode WASM solver race that could cause missing_token errors on form submission across all protected surfaces (WPU wizard, wp-login, register/lostpassword, comments, WC login/register/lostpassword, WC classic + blocks checkout, WPU custom login element). Submit-time gating is now applied uniformly via a shared window.WUCap helper. (#110)

Version: 1.4.1 - Released on 2026-05-07

  • Fixed: Prevent cap-widget from adding duplicate cap-token to form payload (#105)
  • Fixed: Comments Form captcha protection is now enabled by default (#104)
  • Fixed: Login now shows a clear captcha error message instead of "Something went wrong" (#84)
  • Fixed: Captcha re-validation is now skipped during 2FA OTP submission to prevent user lockouts (#82)

Version: 1.4.0 - Released on 2026-05-05

  • New: Inline login captcha — captcha is now enforced on the Ultimate Multisite inline login form element, blocking bot logins during checkout
  • New: Cap captcha API now routed through admin-ajax for improved reliability across all environments
  • Improved: Captcha integration rebuilt with hook-based architecture, improving theme and plugin compatibility
  • Improved: Unified polymorphic validation for all captcha providers
  • Improved: Composer dependencies auto-install before running the test suite (pretest npm hook)
  • Improved: WooCommerce checkout E2E test coverage added

Version 1.4.0 - Released on 2026-XX-XX

  • New: Rate limiter extra protection (5 attempts / 10 min, 1-hour block) — enabled by default
  • New: StopForumSpam integration — zero-config, enabled by default, no API key needed
  • New: Project Honey Pot http:BL integration (requires free access key)
  • New: AbuseIPDB integration (requires API key)
  • New: Honeypot field + timing check (sub-2-second submissions blocked as bots)
  • New: User-Agent blocklist for common bot signatures

Version 1.3.10 - Released on 2026-04-17

  • Fix: Checkout no longer triggers duplicate error notices when the captcha hook fires on both woocommerce_checkout_process and woocommerce_after_checkout_validation.
  • Fix: Invisible Cap captcha now correctly passes through on the WooCommerce Blocks checkout path when graceful pass-through is enabled.
  • Fix: Fatal TypeError when a third-party registration plugin passes null via the registration_errors filter instead of a WP_Error object.
  • Fix: Checkout submit button now shows a disabled state while the WASM proof-of-work completes, covering WooCommerce (#place_order) and CartFlows (.wcf-submit-button). Timeout extended to 10 seconds for slower devices.
  • Improved: Plugin autoloader now skips initialisation when Bedrock's root autoloader has already loaded the dependencies, reducing overhead on Bedrock-based WordPress installations.

Version 1.3.9 - Released on 2026-04-02

  • Fix: Version constant now correctly reflects the installed addon version (was reporting core plugin version)
  • New: Release validation step in deployment workflow to catch version mismatches before publishing

Version 1.3.8 - Released on 2026-03-31

  • New: Automated deployment workflow for WooCommerce marketplace releases
  • New: AGENTS.md with build, lint, test, and code style guidelines
  • Changed: Renamed composer package to ultimate-multisite/ultimate-multisite-captcha
  • Changed: Replaced trigger-docs.yml with scheduled rebuild
  • Changed: Added integration test workflow via core reusable CI

Version 1.3.7 - Released on 2026-03-25

  • Fix: Checkout and login no longer fail when a security plugin (WP Defender, Wordfence) or firewall blocks the captcha verification endpoint. The captcha now detects the block and lets the form submit normally.
  • Fix: Checkout no longer fails when the invisible captcha proof-of-work takes longer than expected to complete. The form now waits gracefully and submits once ready.
  • Fix: Invisible captcha no longer uses the heavy proof-of-work difficulty level, which was causing 5-10 second delays that defeated the purpose of being invisible.
  • Fix: Captcha verification failures no longer trigger IP lockouts from security plugins like WP Defender and Wordfence. Previously, a captcha infrastructure issue could lock out legitimate users by counting each failed verification as a brute-force login attempt.
  • Fixed: Cap widget attachShadow error when Vue.js re-renders DOM elements
  • Fixed: WASM worker CORS error due to missing Access-Control-Allow-Origin on .wasm files
  • Fixed: Added .htaccess for correct WASM MIME type and CORS headers on LiteSpeed/Apache servers

Version 1.3.6 - Released on 2026-03-06

  • Fixed: Asset URLs using core plugin version instead of captcha addon version

Version 1.3.5 - Released on 2026-03-06

  • New: Captcha validation for inline login on checkout forms
  • New: Captcha widget rendered inside the inline login prompt
  • New: Hook into wu_before_inline_login filter for pre-authentication validation
  • New: Hook into wu_inline_login_prompt_before_submit to render captcha in login prompt

Version: 1.3.4 - Released on 2026-XX-XX

  • Fixed: CORS error when loading wasm from CDN.

Version: 1.3.3 - Released on 2026-02-03

  • Fixed: XSS vulnerability in Cloudflare challenge message display (cap-login, cap-checkout, cap-unified)
  • Fixed: Potential fatal error when WC() returns null during early initialization
  • Fixed: Captcha not resetting on network/fetch failures in WooCommerce Blocks checkout
  • Fixed: MutationObserver not detecting WooCommerce Block checkout errors for captcha reset
  • Improved: Captcha no longer resets unnecessarily on routine checkout updates (shipping, coupons)

Version: 1.3.2 - Released on 2026-01-27

  • Fixed: Cap widget not rendering on checkout forms using Elementor or other page builders
  • Fixed: cap-widget custom element being stripped by wp_kses() sanitization
  • Improved: Use callable content for checkout captcha field to bypass HTML filtering
  • Improved: Simplified JavaScript with fallback for edge cases

Version: 1.3.1 - Released on 2026-01-26

  • Fixed: Cap Captcha invisible mode not auto-solving on dynamic Ultimate Multisite checkout forms
  • Improved: Cap checkout script now uses MutationObserver to detect dynamically loaded widgets
  • Improved: Added checkout button interception to wait for token before submission

Version: 1.3.0 - Released on 2026-01-27

  • New: WooCommerce Blocks checkout integration with Store API fetch interception
  • New: Invisible captcha support for WooCommerce checkout (hCaptcha invisible, reCAPTCHA v2 invisible, v3)
  • New: Standalone settings page for use without Ultimate Multisite
  • New: Jetpack Autoloader for dependency conflict prevention
  • Fixed: hCaptcha not rendering on dynamic Ultimate Multisite checkout (AJAX-loaded content)
  • Fixed: Captcha not refreshing/resetting when form validation errors occur
  • Fixed: hCaptcha not showing on WooCommerce checkout page
  • Fixed: reCAPTCHA class not found error (added google/recaptcha PHP library)
  • Improved: Error detection via WordPress hooks, MutationObserver, and AJAX interception
  • Improved: Settings descriptions now include dashboard URLs for API keys

Version: 1.2.2 - Released on 2026-01-24

  • Fixed: Captcha not displaying on Ultimate Multisite Login Form Element (form filter name mismatch)
  • Fixed: Cap widget HTML being stripped by wp_kses() sanitization
  • Fixed: JavaScript selectors not finding forms with slashes in element IDs
  • Added: Filter hook wu_kses_allowed_html for classaddons to extend allowed HTML tags
  • Removed: Dead code JavaScript files replaced by provider-specific scripts

Version: 1.2.1 - Released on 2026-01-23

  • Fixed: Cap Captcha token validation failing in multisite environments (now uses network-wide transients)
  • Fixed: Captcha now renders consistently for all users regardless of login status
  • Fixed: Mismatch between captcha rendering and validation that caused checkout failures

Version: 1.2.0 - Released on 2026-01-21

  • New: Cap Captcha - self-hosted proof-of-work captcha, enabled by default on activation
  • New: Zero-configuration protection - activate the addon and you're protected immediately
  • New: Polymorphic captcha provider architecture for easy extensibility
  • New: WooCommerce Store API checkout protection against card testing attacks
  • New: Statistics tracking dashboard showing challenges, verifications, and blocked attacks
  • New: Security level presets (Fast, Medium, Max) for Cap Captcha difficulty
  • New: Abstract base classes for reCAPTCHA and hCaptcha providers
  • Improved: Refactored codebase into modular provider classes
  • Improved: Better separation of concerns with dedicated manager class
  • Fixed: Security improvements for $_SERVER variable sanitization
  • Fixed: PHPUnit test configuration for WordPress naming conventions

Version: 1.0.1 - Released on 2025-09-28

  • Rename prefix to ultimate-multisite; update text domain; version bump.