In the function XoopsCaptcha::verify() it says:
} else if (!empty($maxAttempts) && ! empty($_SESSION["{$sessionName}_attempt"]) > $maxAttempts) {
$this->message[] = _CAPTCHA_TOOMANYATTEMPTS;
// Verify the code
}
The result of
(!empty($maxAttempts) && ! empty($_SESSION["{$sessionName}_attempt"])
Shoudn't it be:
} else if ((!empty($maxAttempts) && ! empty($_SESSION["{$sessionName}_attempt"])) && ($_SESSION["{$sessionName}_attempt"] > $maxAttempts)) {
?