fix: salt parameter splicing

Author: ovx

altcha.php

@@ -7,16 +7,16 @@
  * Description: ALTCHA is a free, open-source CAPTCHA alternative that offers robust protection without using cookies, ensuring full GDPR compliance by design. It also provides invisible anti-spam and anti-bot protection through ALTCHA's API.
  * Author: Altcha.org
  * Author URI: https://altcha.org
- * Version: 1.26.2
- * Stable tag: 1.26.2
+ * Version: 1.26.3
+ * Stable tag: 1.26.3
  * Requires at least: 5.0
  * Requires PHP: 7.3
  * Tested up to: 6.8
  * License: GPLv2 or later
  * License URI: https://www.gnu.org/licenses/gpl-2.0.html  
  */
 
-define('ALTCHA_VERSION', '1.26.2');
+define('ALTCHA_VERSION', '1.26.3');
 define('ALTCHA_WEBSITE', 'https://altcha.org/');
 define('ALTCHA_WIDGET_VERSION', '2.2.2');
 

includes/core.php

@@ -464,6 +464,9 @@ public function generate_challenge($hmac_key = null, $complexity = null, $expire
         'expires' => time() + $expires
       ));
     }
+    if (!str_ends_with($salt, '&')) {
+      $salt .= '&';
+    }
     switch ($complexity) {
       case 'low':
         $min_secret = 100;

readme.txt

@@ -2,8 +2,8 @@
 Tags: altcha, captcha, spam, anti-spam, anti-bot, antispam, recaptcha, hcaptcha, gdpr
 Author: Altcha.org
 Author URI: https://altcha.org
-Version: 1.26.2
-Stable tag: 1.26.2
+Version: 1.26.3
+Stable tag: 1.26.3
 Requires at least: 5.0
 Requires PHP: 7.3
 Tested up to: 6.8
@@ -114,6 +114,9 @@ All source code for the plugin, and the ALTCHA widget is available on GitHub. In
 
 == Changelog ==
 
+= 1.26.3 =
+* Fixed possible replay attacks via salt splicing.
+
 = 1.26.2 =
 * Updated readme for the new version 2.