Support » Plugin: Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder » Found out why reCAPTCHA and other protection don’t work

  • Resolved rinart73


    I looked at the plugin code and found out that:

    • It is possible to bypass the “nonce” protection if you just don’t include the “fm_form_nonce[FORM_NUMBER]” in your POST request.
      Then the code that checks it (file “frontend/models/form_maker.php“, line 1201) doesn’t even get executed.
    • You can bypass any supported reCAPTCHA by not including the “save_or_submit[FORM_NUMBER]” field in a POST request. Because in the file “frontend/models/form_maker.php” (line 1117) plugin checks if the ‘save_or_submit’ field exists (and not equals “save”) and then checks the reCAPTCHA.
    • This topic was modified 6 months, 2 weeks ago by rinart73.
    • This topic was modified 6 months, 2 weeks ago by rinart73.
    • This topic was modified 6 months, 2 weeks ago by rinart73.
Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support Zhanna Khachatryan


    Hi @rinart73 ,

    Thanks for sharing your findings with us.

    Our developers will check your mentioned issues and will work on solving them.



    I concur with this – in frontend/models/form_maker.php, if the spammer sets $_POST[‘counter1’] (which is set by a hidden field on the form anyway) then the test at line 1104 is passed. If you DON’T set $_POST[‘save_or_submit1’] then the test at 1106 fails and you skip down to the else at 1185-1187 which sets $correct = TRUE; Job done – spam sent, all CAPTCHA’s evaded.

    Shouldn’t line 1187 be $correct = FALSE?

    Everything works fine if I make this change.

    Hope this is useful,


    • This reply was modified 6 months ago by karlwilcox.
    • This reply was modified 6 months ago by karlwilcox. Reason: spelling
    Plugin Support Zhanna Khachatryan


    Hi Karl,

    We have updated the plugin and the bug is fixed.

    Thank you very much for your contribution.



    Has this been fixed? I am running Form Maker Pro 2.12.31 after updating the plugin and I’m still experiencing endless spam problems.

    This is my version’s change log:

    * Improved: CSV, XML export.
    * Improved: default email design
    * Improved: Minor improvements in email options
    * Fixed: PHP validation for email.
    * Fixed: Front end submissions: Hide Id field.
    * Fixed: Preserve the list of columns displayed when changing the page.
    * Fixed: Do not display ScrollBox form after Successful submission.

    Has the fix been added to it or do I need to fix it manually?

    Plugin Support Zhanna Khachatryan


    Hello @gabrielfiguer,

    I am very sorry to get back to you late.

    The issue with spam is fixed since the version 1.13.17 for free users and 2.13.17 for premium users.

    Please update the plugin, your form maker’s version is quite old now.



    While 2.12.31 sounds distant from 2.13.17 from a programmer perspective it doesn’t sound that distant. I update the plugin when the plugin displays an update notice so if it’s not displaying perhaps the license expired or the plugin isn’t working as expected. In any case I fixed the issue following karlwilcox suggestion. We’ve been using the plugin for several years and while I personally like it, it’s only been the first three days without being assaulted by spam (which lead us to evaluate other form builder alternatives). karlwilcox suggestion came one month ago so it hasn’t been that long since the spam fix was put in place. I will keep testing it before we decide to purchase a newer license.

    Plugin Support Zhanna Khachatryan


    Hi @gabrielfiguer,

    Dear user, we continuously work on the development of our plugin, having the plugin for several years, I think that you have noticed that by the time we have worked on the improvement of plugin functionality and features.

    Now, thanks to Karl and our developers, we have highly improved spam protection, so please give it a try and if you’ll have spam issue again, please let us know.

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.