Support » Plugin: Contact Form 7 reCAPTCHA » Good, but currently flawed

  • This plugin is great! However, there’s currently a pretty major flaw with how it is implemented. The wpcf7_validate() function, which essentially checks to make sure the CAPTCHA check passed, only actually validates the CAPTCHA response if the “contact_form_7_recaptcha” POST parameter is present.

    So, all a malicious user would need to do would be to simply omit “contact_form_7_recaptcha” from the POST data…

    An alternative approach that isn’t vulnerable to this weakness would be to load the form itself from the DB and check to see if the recaptcha shortcode is present. If it is, then the validation would proceed. If it isn’t, then validation is unnecessary.

    Also, in its current form, the plugin doesn’t show any sort of feedback if the user fails to check the box. I modified script.js so that an error message (“Please check the box.”) is shown in this case.

    • This topic was modified 1 year, 4 months ago by  rinogo.
    • This topic was modified 1 year, 4 months ago by  rinogo.
    • This topic was modified 1 year, 4 months ago by  rinogo.
    • This topic was modified 1 year, 4 months ago by  rinogo.
  • The topic ‘Good, but currently flawed’ is closed to new replies.