This plugin is great! However, there’s currently a pretty major flaw with how it is implemented. The
wpcf7_validate()function, which essentially checks to make sure the CAPTCHA check passed, only actually validates the CAPTCHA response if the “contact_form_7_recaptcha”
POSTparameter is present.
So, all a malicious user would need to do would be to simply omit “contact_form_7_recaptcha” from the
An alternative approach that isn’t vulnerable to this weakness would be to load the form itself from the DB and check to see if the recaptcha shortcode is present. If it is, then the validation would proceed. If it isn’t, then validation is unnecessary.
Also, in its current form, the plugin doesn’t show any sort of feedback if the user fails to check the box. I modified script.js so that an error message (“Please check the box.”) is shown in this case.
- The topic ‘Good, but currently flawed’ is closed to new replies.