I didn’t inform you about holes in your plugin yet because of a few reasons. 1st - because of lack of time (I’m very busy man and I was overloaded with my MoBiC project). And 2nd - because in Month of Bugs in Captchas project I decided not to inform all captchas developers in November, but to inform them in December (on the other hand I announced my project in October). It’s because of time which need to inform every captchas developers (in whose captchas I found holes) and also because of the idea of project, that developers must themselves watch to security of their captchas. Which is very easy with my project where I posted holes in captchas only, so no need to watch many sources, just watch my MoBiC project to find if your captcha is vulnerable, and if it is to fix it.

But in any case I was trying to inform beforehand users of those captchas which will be in my project. In case of your plugin I informed admin of blog at tehposse.org (which use Math Comment Spam Protection).

And it is good, that you found this article (which was made for you and for every user of plugin) and already fixed the XSS holes. When I’ll find time I maybe look at new version of your plugin (to check how it was fixed).

But, Michael, as I see from you comment and from post at your site, you fixed only XSS holes. But it’s only bonus post about XSS holes in Math Comment Spam Protection. The main post is about Insufficient Anti-automation hole in your plugin - it’s about bypassing captcha, which is main topic of MoBiC project. Did you read that article? I see you didn’t. I recommend you to read it too and to fix the hole.

A fixed plugin version is available in the meantime, version 2.2. Not yet available at wordpress.org though since it takes a while until their website script updates the latest uploads, however available at the plugin’s website.