We cannot help you with this, so I have closed the previous topic. “I believe that spam bots are somehow able to bypass the hCaptcha field” – we have no evidence of it. So far, the problem can be related to your theme or set of plugins.
We need a minimal reproducible example. The empty site, standard theme, and two plugins – CF7 and hCaptcha. Some description of actions or external code which breaks hCaptcha protection. Under these conditions, we can make relevant fixes.
Could you provide us with such a minimal reproducible example? Thank you.
Yes. We are going to log the $_POST variable and all other associated variables to see how the bots are doing it.
We are running unrelated plugins and the default Twenty Twenty-One theme.
We will have the data for you soon enough and we may even have the solution so that you can help others in the future.
Oliver
OK, I think I’ve worked out what the problem is.
Your plugin uses wpcf7_validate hook to validate the h-captcha-response.
Which is fine and works.
But … some bots are managing to process Contact Form 7 forms without firing wpcf7_validate. I know this because I just received another spam email and my debug.log file was empty despite having this …
add_filter('wpcf7_validate', 'domain_support_wpcf7_validate', 10, 2);
function domain_support_wpcf7_validate($result, $tag) {
error_log(print_r($_POST, true));
return $result;
}
And yes, testing the form produced this …
[06-Dec-2022 10:18:52 UTC] Array
(
[your-name] => Oliver Campion
[your-email] => info@XXXXXXXX.co.uk
[your-telephone] => XXXXXXXX
[your-message] => Testing form
[g-recaptcha-response] => -response removed-
[h-captcha-response] => -response removed-
)
… and another bot that used the form produced this (no email was received, which is good) …
[06-Dec-2022 20:53:39 UTC] Array
(
[your-name] => SpamName
[your-email] => spammyaddress@gmail.com
[your-telephone] => 86581962762
[your-message] => <b>-spam content removed-</b>
[submit] => Send
)
So we know that …
- Your plugin works on Contact Form 7 for real humans and email is sent (
wpcf7_validate hook is fired)
- Your plugin works on Contact Form 7 to detect bots that submit the form the same way a human would using a web browser and email is not sent (
wpcf7_validate hook is fired)
- Your plugin does not work on Contact Form 7 to detect bots that submit the form in a way that
wpcf7_validate hook is not fired and the spam email is delivered
I hope this helps you discover the problem.
If you still need me to find out how they are submitting forms on Contact Form 7 and bypassing the wpcf7_validate hook, let me know but you should have enough information to solve the problem yourselves now.
Oliver
And here we come to what we started from: “But … some bots are managing to process Contact Form 7 forms without firing wpcf7_validate.”. Some bots fool up CF7 and can send the form without internal checks. wpcf7_validate is the cornerstone mechanism of CF7 security. It is avoided.
It would be best if you addressed your question to the CF7 support.
I’m afraid not.
I have discovered you have quite a serious bug with your integration with Contact Form 7 which will need addressing ASAP because it affects all users of your plugin that use Contact Form 7 (which I’m assuming is quite a few).
I will attempt to explain what the issue is as simply as possible so you are able to understand.
I will also provide a fix so you can rectify the problem.
On line 112 of /src/php/CF7/CF7.php …
$wpcf7_id = filter_var(
// phpcs:ignore WordPress.Security.NonceVerification.Missing
isset( $_POST['_wpcf7'] ) ? wp_unslash( $_POST['_wpcf7'] ) : 0,
FILTER_VALIDATE_INT
);
… you are using $_POST['_wpcf7'] to get the ID of the submitted form. I believe this method was depreciated with v5.2 of Contact Form 7 in July 2020 and is not always in the $_POST array.
This means that on line 118 …
if ( empty( $wpcf7_id ) ) {
return $result;
}
… the hCaptcha hcaptcha_request_verify() is by-passed because $wpcf7_id has been set to zero.
So … not only does this mean that spam bots have been able to bypass your verification system with Contact Form 7 by omitting the _wpcf7 element of the $_POST array but also humans may not have had their hCaptcha verified since July 2020!
In order to fix this problem, please replace the code on line 112 above with this …
$wpcf7_form = WPCF7_ContactForm::get_current();
$wpcf7_id = $wpcf7_form->id;
Oliver
Thank you for your consideration. Your changes have no sense if wpcf7_validate hook is not fired. I cannot force CF7 to fire this hook.
On the other hand, if the hook is actually fired, using the $_POST here could create a problem if a bot unsets wpcf7_id from the POST array. I have simplified and strengthened the code for verifying CF7. You can get it from the 2.2.0 branch: https://github.com/hCaptcha/hcaptcha-wordpress-plugin/commits/v2.2.0
V2.2.0 will be published in a few days.
The issue is not that wpcf7_validate is not being fired (as I had originally thought) but the _wpcf7 element being omitted (not unset) from the $_POST() array.
_wpcf7 is not required in $_POST() because the form ID is taken from the REST endpoint namely …
[REQUEST_URI] => /wp-json/contact-form-7/v1/contact-forms/{ID}/{name}
So your plugin requiring it to be present to validate the hCaptcha key is flawed.
Thank you for taking this onboard, however … I’ve had a quick look. Before your plugin would generate the contact form shortcode then search for the site key to make sure that the form requires an hCaptcha. Your new code will try to verify all form submissions whether the form has an hCaptcha field or not. Won’t that break the form for any forms that are deliberately not using hCaptcha?
Oliver
Concerning a quick look. When the CF7 settings toggle is on, each and every CF7 will have an hCaptcha element. When it is off, no hCaptcha elements are inserted in CF7 form.
The code you discussed is very outdated. Currently, we cannot provide a mechanism to selectively add hCaptcha to any form by the 40 plugins we support. It is in our plans, but we cannot say anything about the anticipated date of the realization.
Thank you for the update.
I will return to this thread when v2.2.0 is released.
Oliver
The plugin was updated 5 days ago. As I do not see any further comments here, I understand that no spam activity is present any more, right?
Yes! I don’t want to jinx it but it would indeed appear to have resolved the issue!
I’m glad I was able to help you.
I’ll mark the ticket as resolved.
Oliver
Thank you for your report and persistence. Our lengthy discussion went me to the understanding of what can be used by bots to avoid CF7 verification in legacy code.
I am glad to hear that the changes solved the problem.
Many thanks again.
