Title: [BREAKING] Security bug renders plugin useless
Last modified: August 22, 2016

---

# [BREAKING] Security bug renders plugin useless

 *  [YM_Industries](https://wordpress.org/support/users/ym_industries/)
 * (@ym_industries)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/breaking-security-bug-renders-plugin-useless/)
 * What’s the purpose of a Captcha? It’s to prevent spam. In its current form, this
   Captcha plugin does nothing to reduce spam, all it does is adds an extra step
   for users.
 * Why? Because if JavaScript is disabled or not present (which is the case with
   almost all spambots) the Captcha is not displayed and comments can be submitted
   regardless.
 * In comment-form.php we have the following piece of code:
 *     ```
       public static function validate_captcha_comment_field( $commentdata ) {
       	if ( isset( $_POST['g-recaptcha-response'] ) && ! (self::captcha_verification()) ) {
       		self::$captcha_error = 'failed';
       	}
   
       	return $commentdata;
       }
       ```
   
 * This code checks if the g-recaptcha-response field is present and iff (if and
   only if) it is then it checks to see if it is valid with Google. If the field
   is missing (such as when a spambot submits the form) then no validation takes
   place and the comment is submitted.
 * Fixed code looks like this:
 *     ```
       public static function validate_captcha_comment_field( $commentdata ) {
       	if ( !isset( $_POST['g-recaptcha-response'] ) || ! (self::captcha_verification()) ) {
       		self::$captcha_error = 'failed';
       	}
   
       	return $commentdata;
       }
       ```
   
 * Similar code can be found in both login.php and registration.php and should be
   fixed too.
 * This is a major, major bug that, if not fixed, makes the plugin completely pointless.
 * [https://wordpress.org/plugins/no-captcha-recaptcha/](https://wordpress.org/plugins/no-captcha-recaptcha/)

Viewing 1 replies (of 1 total)

 *  [Uthar](https://wordpress.org/support/users/uthar/)
 * (@uthar)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/breaking-security-bug-renders-plugin-useless/#post-5725947)
 * Sounds like a good solution.
 * [@plugin](https://wordpress.org/support/users/plugin/) Author
    Will this be implemented
   in the next version?

Viewing 1 replies (of 1 total)

The topic ‘[BREAKING] Security bug renders plugin useless’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/no-captcha-recaptcha_afc5ce.svg)
 * [No CAPTCHA reCAPTCHA](https://wordpress.org/plugins/no-captcha-recaptcha/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/no-captcha-recaptcha/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/no-captcha-recaptcha/)
 * [Active Topics](https://wordpress.org/support/plugin/no-captcha-recaptcha/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/no-captcha-recaptcha/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/no-captcha-recaptcha/reviews/)

## Tags

 * [breaking](https://wordpress.org/support/topic-tag/breaking/)
 * [Major](https://wordpress.org/support/topic-tag/major/)

 * 1 reply
 * 2 participants
 * Last reply from: [Uthar](https://wordpress.org/support/users/uthar/)
 * Last activity: [11 years, 4 months ago](https://wordpress.org/support/topic/breaking-security-bug-renders-plugin-useless/#post-5725947)
 * Status: not resolved