diff --git a/adm/admin.lib.php b/adm/admin.lib.php
index edbf96fb5..6a2fc5f2b 100644
--- a/adm/admin.lib.php
+++ b/adm/admin.lib.php
@@ -554,9 +554,18 @@ function admin_check_xss_params($params)
 
         if (is_array($value)) {
             admin_check_xss_params($value);
-        } else if ((preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/(onload|onerror)=.*/ius', $value))) || preg_match('/^(?=.*token\()(?=.*xmlhttprequest\()(?=.*send\().*$/im', $value) || (preg_match('/(onload|onerror|focus)=.*/ius', $value) && preg_match('/(eval|expression|exec|prompt)(\s*)\((.*)\)/ius', $value))) {
+        } else if (
+            (preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/on[a-z]+=*/ius', $value))) || preg_match('/^(?=.*token\()(?=.*xmlhttprequest\()(?=.*send\().*$/im', $value) || 
+            (preg_match('/(on[a-z]+|focus)=.*/ius', $value) && preg_match('/(eval|atob|fetch|expression|exec|prompt)(\s*)\((.*)\)/ius', $value))) {
             alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.', G5_URL);
             die();
+        } else if (preg_match('/atob\s*\(\s*[\'"]?([a-zA-Z0-9+\/=]+)[\'"]?\s*\)/ius', $value, $matches)) {
+            $decoded = base64_decode($matches[1], true);
+            if ($decoded && preg_match('/(eval|fetch|script|alert|settimeout|setinterval)/ius', $decoded)) {
+                // error_log("Base64 XSS 시도 감지: key=$key, decoded=$decoded, IP=" . $_SERVER['REMOTE_ADDR']);
+                alert('Base64로 인코딩된 위험한 스크립트가 발견되었습니다.', G5_URL);
+                die();
+            }
         }
     }
 
diff --git a/adm/config_form.php b/adm/config_form.php
index c63189411..986112e79 100644
--- a/adm/config_form.php
+++ b/adm/config_form.php
@@ -1557,7 +1557,17 @@ if ($config['cf_sms_use'] && $config['cf_icode_id'] && $config['cf_icode_pw']) {
             </table>
         </div>
     </section>
-
+    
+    <div id="config_captcha_wrap" style="display:none">
+        <h2>캡챠입력</h2>
+        <?php
+        require_once G5_CAPTCHA_PATH . '/captcha.lib.php';
+        $captcha_html = captcha_html();
+        $captcha_js   = chk_captcha_js();
+        echo $captcha_html;
+        ?>
+    </div>
+    
     <div class="btn_fixed_top btn_confirm">
         <input type="submit" value="확인" class="btn_submit btn" accesskey="s">
     </div>
@@ -1629,10 +1639,61 @@ if ($config['cf_sms_use'] && $config['cf_icode_id'] && $config['cf_icode_pw']) {
         });
     });
 
+    // 각 요소의 초기값 저장
+    var initialValues = {
+        cf_admin: $('#cf_admin').val(),
+        cf_analytics: $('#cf_analytics').val(),
+        cf_add_meta: $('#cf_add_meta').val(),
+        cf_add_script: $('#cf_add_script').val()
+    };
+
+    function check_config_captcha_open() {
+        var isChanged = false;
+
+        // 현재 값이 있는 경우에만 변경 여부 체크
+        if ($('#cf_admin').val()) {
+            isChanged = isChanged || $('#cf_admin').val() !== initialValues.cf_admin;
+        }
+        if ($('#cf_analytics').val()) {
+            isChanged = isChanged || $('#cf_analytics').val() !== initialValues.cf_analytics;
+        }
+        if ($('#cf_add_meta').val()) {
+            isChanged = isChanged || $('#cf_add_meta').val() !== initialValues.cf_add_meta;
+        }
+        if ($('#cf_add_script').val()) {
+            isChanged = isChanged || $('#cf_add_script').val() !== initialValues.cf_add_script;
+        }
+        
+        var $wrap = $("#config_captcha_wrap"),
+            tooptipid = "mp_captcha_tooltip",
+            $p_text = $("<p>", {id:tooptipid, style:"font-size:0.95em;letter-spacing:-0.1em"}).html("중요정보를 수정할 경우 캡챠를 입력해야 합니다."),
+            $children = $wrap.children(':first'),
+            is_invisible_recaptcha = $("#captcha").hasClass("invisible_recaptcha");
+
+        if(isChanged){
+            $wrap.show();
+            if(! is_invisible_recaptcha) {
+                $wrap.css("margin-top","1em");
+                if(! $("#"+tooptipid).length){ $children.after($p_text) }
+            }
+        } else {
+            $wrap.hide();
+            if($("#"+tooptipid).length && ! is_invisible_recaptcha){ $children.next("#"+tooptipid).remove(); }
+        }
+        
+        return isChanged;
+    }
+        
     function fconfigform_submit(f) {
         var current_user_ip = "<?php echo $_SERVER['REMOTE_ADDR']; ?>";
         var cf_intercept_ip_val = f.cf_intercept_ip.value;
-
+        
+        if (check_config_captcha_open()){
+            jQuery("html, body").scrollTop(jQuery("#config_captcha_wrap").offset().top);
+            
+            <?php echo $captcha_js; // 캡챠 사용시 자바스크립트에서 입력된 캡챠를 검사함 ?>
+        }
+        
         if (cf_intercept_ip_val && current_user_ip) {
             var cf_intercept_ips = cf_intercept_ip_val.split("\n");
 
@@ -1653,6 +1714,22 @@ if ($config['cf_sms_use'] && $config['cf_icode_id'] && $config['cf_icode_pw']) {
         f.action = "./config_form_update.php";
         return true;
     }
+    
+    jQuery(function($){
+        $("#captcha_key").prop('required', false).removeAttr("required").removeClass("required");
+        
+        // 최고관리자 변경시
+        $(document).on('change', '#cf_admin', check_config_captcha_open);
+
+        // 방문자분석 스크립트 변경시
+        $(document).on('input', '#cf_analytics', check_config_captcha_open);
+        
+        // 추가 메타태그 변경시
+        $(document).on('input', '#cf_add_meta', check_config_captcha_open);
+        
+        // 추가 script, css 변경시
+        $(document).on('input', '#cf_add_script', check_config_captcha_open);
+    });
 </script>
 
 <?php
diff --git a/adm/config_form_update.php b/adm/config_form_update.php
index c3769a3e9..0e7c81bf9 100644
--- a/adm/config_form_update.php
+++ b/adm/config_form_update.php
@@ -10,6 +10,9 @@ if ($is_admin != 'super') {
     alert('최고관리자만 접근 가능합니다.');
 }
 
+$sql = " select * from {$g5['config_table']} limit 1";
+$ori_config = sql_fetch($sql);
+
 $cf_title = isset($_POST['cf_title']) ? strip_tags(clean_xss_attributes($_POST['cf_title'])) : '';
 $cf_admin = isset($_POST['cf_admin']) ? clean_xss_tags($_POST['cf_admin'], 1, 1) : '';
 
@@ -185,6 +188,33 @@ if (!$_POST['cf_cert_use']) {
    $_POST['cf_cert_simple'] = '';
 }
 
+// 관리자가 자동등록방지를 사용해야 할 경우 ( 기본환경설정에서 최고관리자, 방문자분석 스크립트, 추가 메타태그, 추가 script, css 변경시 )
+$check_captcha = 0;
+
+if ($cf_admin && $ori_config['cf_admin'] !== $cf_admin) {
+    $check_captcha = 1;
+}
+
+if ($_POST['cf_analytics'] && $ori_config['cf_analytics'] !== stripslashes($_POST['cf_analytics'])) {
+    $check_captcha = 1;
+}
+
+if ($_POST['cf_add_meta'] && $ori_config['cf_add_meta'] !== stripslashes($_POST['cf_add_meta'])) {
+    $check_captcha = 1;
+}
+
+if ($_POST['cf_add_script'] && $ori_config['cf_add_script'] !== stripslashes($_POST['cf_add_script'])) {
+    $check_captcha = 1;
+}
+
+if ($check_captcha) {
+    include_once(G5_CAPTCHA_PATH . '/captcha.lib.php');
+
+    if (!chk_captcha()) {
+        alert('자동등록방지 숫자가 틀렸습니다.');
+    }
+}
+
 $sql = " update {$g5['config_table']}
             set cf_title = '{$cf_title}',
                 cf_admin = '{$cf_admin}',
@@ -346,6 +376,10 @@ if (isset($_POST['cf_bbs_rewrite'])) {
     g5_delete_all_cache();
 }
 
+if (function_exists('get_admin_captcha_by')) {
+    get_admin_captcha_by('remove');
+}
+
 run_event('admin_config_form_update');
 
 update_rewrite_rules();
diff --git a/adm/member_form_update.php b/adm/member_form_update.php
index 55b8a58a0..29e96a38c 100644
--- a/adm/member_form_update.php
+++ b/adm/member_form_update.php
@@ -19,7 +19,7 @@ $mb_certify     = isset($_POST['mb_certify']) ? preg_replace('/[^0-9a-z_]/i', ''
 $mb_zip         = isset($_POST['mb_zip']) ? preg_replace('/[^0-9a-z_]/i', '', $_POST['mb_zip']) : '';
 
 // 관리자가 자동등록방지를 사용해야 할 경우 ( 회원의 비밀번호 변경시 캡챠를 체크한다 )
-if ($mb_password && function_exists('get_admin_captcha_by') && get_admin_captcha_by()) {
+if ($mb_password) {
     include_once(G5_CAPTCHA_PATH . '/captcha.lib.php');
 
     if (!chk_captcha()) {
diff --git a/adm/shop_admin/couponform.php b/adm/shop_admin/couponform.php
index be26be6f3..ec01ed96d 100644
--- a/adm/shop_admin/couponform.php
+++ b/adm/shop_admin/couponform.php
@@ -46,13 +46,13 @@ include_once(G5_PLUGIN_PATH.'/jquery-ui/datepicker.php');
 ?>
 
 <form name="fcouponform" action="./couponformupdate.php" method="post" onsubmit="return form_check(this);">
-<input type="hidden" name="w" value="<?php echo $w; ?>">
-<input type="hidden" name="cp_id" value="<?php echo $cp_id; ?>">
-<input type="hidden" name="sst" value="<?php echo $sst; ?>">
-<input type="hidden" name="sod" value="<?php echo $sod; ?>">
-<input type="hidden" name="sfl" value="<?php echo $sfl; ?>">
-<input type="hidden" name="stx" value="<?php echo $stx; ?>">
-<input type="hidden" name="page" value="<?php echo $page;?>">
+<input type="hidden" name="w" value="<?php echo get_sanitize_input($w); ?>">
+<input type="hidden" name="cp_id" value="<?php echo get_sanitize_input($cp_id); ?>">
+<input type="hidden" name="sst" value="<?php echo get_sanitize_input($sst); ?>">
+<input type="hidden" name="sod" value="<?php echo get_sanitize_input($sod); ?>">
+<input type="hidden" name="sfl" value="<?php echo get_sanitize_input($sfl); ?>">
+<input type="hidden" name="stx" value="<?php echo get_sanitize_input($stx); ?>">
+<input type="hidden" name="page" value="<?php echo get_sanitize_input($page);?>">
 
 <div class="tbl_frm01 tbl_wrap">
     <table>
diff --git a/adm/shop_admin/itemsellrank.php b/adm/shop_admin/itemsellrank.php
index d9522381d..b1e387d58 100644
--- a/adm/shop_admin/itemsellrank.php
+++ b/adm/shop_admin/itemsellrank.php
@@ -68,10 +68,10 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
 </div>
 
 <form name="flist" class="local_sch01 local_sch">
-<input type="hidden" name="doc" value="<?php echo $doc; ?>">
-<input type="hidden" name="sort1" value="<?php echo $sort1; ?>">
-<input type="hidden" name="sort2" value="<?php echo $sort2; ?>">
-<input type="hidden" name="page" value="<?php echo $page; ?>">
+<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
+<input type="hidden" name="sort1" value="<?php echo get_sanitize_input($sort1); ?>">
+<input type="hidden" name="sort2" value="<?php echo get_sanitize_input($sort2); ?>">
+<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
 
 <label for="sel_ca_id" class="sound_only">검색대상</label>
 <select name="sel_ca_id" id="sel_ca_id">
diff --git a/adm/shop_admin/itemstocklist.php b/adm/shop_admin/itemstocklist.php
index b1133b20b..c55fddde8 100644
--- a/adm/shop_admin/itemstocklist.php
+++ b/adm/shop_admin/itemstocklist.php
@@ -67,10 +67,10 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
 </div>
 
 <form name="flist" class="local_sch01 local_sch">
-<input type="hidden" name="doc" value="<?php echo $doc; ?>">
-<input type="hidden" name="sort1" value="<?php echo $sort1; ?>">
-<input type="hidden" name="sort2" value="<?php echo $sort2; ?>">
-<input type="hidden" name="page" value="<?php echo $page; ?>">
+<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
+<input type="hidden" name="sort1" value="<?php echo get_sanitize_input($sort1); ?>">
+<input type="hidden" name="sort2" value="<?php echo get_sanitize_input($sort2); ?>">
+<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
 
 <label for="sel_ca_id" class="sound_only">분류선택</label>
 <select name="sel_ca_id" id="sel_ca_id">
diff --git a/adm/shop_admin/itemstocksms.php b/adm/shop_admin/itemstocksms.php
index 0a3d54474..185bcad7b 100644
--- a/adm/shop_admin/itemstocksms.php
+++ b/adm/shop_admin/itemstocksms.php
@@ -74,10 +74,10 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
 </div>
 
 <form name="flist" class="local_sch01 local_sch">
-<input type="hidden" name="doc" value="<?php echo $doc; ?>">
-<input type="hidden" name="sort1" value="<?php echo $sort1; ?>">
-<input type="hidden" name="sort2" value="<?php echo $sort2; ?>">
-<input type="hidden" name="page" value="<?php echo $page; ?>">
+<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
+<input type="hidden" name="sort1" value="<?php echo get_sanitize_input($sort1); ?>">
+<input type="hidden" name="sort2" value="<?php echo get_sanitize_input($sort2); ?>">
+<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
 
 <label for="sel_field" class="sound_only">검색대상</label>
 <select name="sel_field" id="sel_field">
diff --git a/adm/shop_admin/itemtypelist.php b/adm/shop_admin/itemtypelist.php
index 7317e141d..a7b175b37 100644
--- a/adm/shop_admin/itemtypelist.php
+++ b/adm/shop_admin/itemtypelist.php
@@ -85,8 +85,8 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
 </div>
 
 <form name="flist" class="local_sch01 local_sch">
-<input type="hidden" name="doc" value="<?php echo $doc; ?>">
-<input type="hidden" name="page" value="<?php echo $page; ?>">
+<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
+<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
 
 <label for="sca" class="sound_only">분류선택</label>
 <select name="sca" id="sca">
diff --git a/adm/shop_admin/optionstocklist.php b/adm/shop_admin/optionstocklist.php
index a86af50b4..fe035f6c3 100644
--- a/adm/shop_admin/optionstocklist.php
+++ b/adm/shop_admin/optionstocklist.php
@@ -69,10 +69,10 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
 </div>
 
 <form name="flist" class="local_sch01 local_sch">
-<input type="hidden" name="doc" value="<?php echo $doc; ?>">
-<input type="hidden" name="sort1" value="<?php echo $sort1; ?>">
-<input type="hidden" name="sort2" value="<?php echo $sort2; ?>">
-<input type="hidden" name="page" value="<?php echo $page; ?>">
+<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
+<input type="hidden" name="sort1" value="<?php echo get_sanitize_input($sort1); ?>">
+<input type="hidden" name="sort2" value="<?php echo get_sanitize_input($sort2); ?>">
+<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
 
 <label for="sel_ca_id" class="sound_only">분류선택</label>
 <select name="sel_ca_id" id="sel_ca_id">
diff --git a/adm/shop_admin/orderlist.php b/adm/shop_admin/orderlist.php
index 4aed6536a..df2cdbe2a 100644
--- a/adm/shop_admin/orderlist.php
+++ b/adm/shop_admin/orderlist.php
@@ -160,11 +160,11 @@ if( function_exists('pg_setting_check') ){
 </div>
 
 <form name="frmorderlist" class="local_sch01 local_sch">
-<input type="hidden" name="doc" value="<?php echo $doc; ?>">
-<input type="hidden" name="sort1" value="<?php echo $sort1; ?>">
-<input type="hidden" name="sort2" value="<?php echo $sort2; ?>">
-<input type="hidden" name="page" value="<?php echo $page; ?>">
-<input type="hidden" name="save_search" value="<?php echo $search; ?>">
+<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
+<input type="hidden" name="sort1" value="<?php echo get_sanitize_input($sort1); ?>">
+<input type="hidden" name="sort2" value="<?php echo get_sanitize_input($sort2); ?>">
+<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
+<input type="hidden" name="save_search" value="<?php echo get_sanitize_input($search); ?>">
 
 <label for="sel_field" class="sound_only">검색대상</label>
 <select name="sel_field" id="sel_field">
diff --git a/adm/shop_admin/wishlist.php b/adm/shop_admin/wishlist.php
index 712faeedf..b54e3bb8c 100644
--- a/adm/shop_admin/wishlist.php
+++ b/adm/shop_admin/wishlist.php
@@ -58,8 +58,8 @@ $listall = '<a href="'.$_SERVER['SCRIPT_NAME'].'" class="ov_listall">전체목
 </div>
 
 <form name="flist" class="local_sch01 local_sch">
-<input type="hidden" name="doc" value="<?php echo $doc; ?>">
-<input type="hidden" name="page" value="<?php echo $page; ?>">
+<input type="hidden" name="doc" value="<?php echo get_sanitize_input($doc); ?>">
+<input type="hidden" name="page" value="<?php echo get_sanitize_input($page); ?>">
 
 <label for="sel_ca_id" class="sound_only">검색대상</label>
 <select name="sel_ca_id" id="sel_ca_id">