Forum owners can apply a workaround until a full fix is released

MyBB CAPTCHA bug breaks forum validation checks

MyBB is warning users that the latest version of the software has introduced a CAPTCHA-breaking bug that could impact forum functionality.

The popular open source software provides the backbone of thousands of forums online. However, version 1.8.27, released in June, inadvertently pushed out a programming flaw which impacts CAPTCHA verification systems enabled by users.

In a notice posted on October 3, the project’s developers warned that the bug affects reCAPTCHA v3 and hCaptcha invisible, two services designed to prevent malicious bots from flooding online resources with fraudulent traffic.


The MyBB team said that validation attempts made through the CAPTCHAs, when implemented on a forum, may “appear broken and the verification can reject or accept attempts incorrectly”.

The issue, opened on GitHub, has been caused by the wrong template and handlers being introduced for the CAPTCHAs.

RELATED Chained vulnerabilities used to take control of MyBB forums

Incorrect pointers have led to broken image verification prompt in reCAPTCHA v3, potentially allowing the system to be bypassed. In the case of hCaptcha, the wrong handler could prompt the feature to reject all challenges.

MyBB recommends that users temporarily switch over to a different mechanism for implementing CAPTCHAs on their forums or to manually apply upcoming changes available on GitHub.

The team is currently working on stabilizing version 1.8.27 and a patch will be included in the next maintenance release.

Check your builds

In addition to the CAPTCHA patch, MyBB has asked forum operators to check their error logging setups.

A read-only feature released in MyBB 1.8.27 enforces XHTML code validation when it is generated in order to give forum managers a chance to spot any problems in a configuration error log – ahead of the planned full release of this feature.

Customized MyCodes, plugins, theme templates, or username styles may flag up errors in the next build if they are not compatible.

Read more of the latest open source security news

“After upgrading, validation errors will continue to be logged, but messages with problematic MyCode will not be displayed to prevent potential XSS attacks against your forums,” the developers say.

The Daily Swig has reached out to MyBB with additional queries and we will update when we hear back.

YOU MIGHT ALSO LIKE Multiple XSS vulnerabilities in child monitoring app Canopy ‘could risk location leak’