Ran into a potential security issue that would allow any user to bypass reCAPTCHA and registration will still work.
I am using Firefox (8.0) and the RequestPolicy add-in (v0.5.23). That add-on allows me to block browser requests to other sites. In this case, it was blocking the request to google for the reCAPTCHA.
With it blocked, I expected the registration to fail, as it would not have a valid code (since it never showed up on the page).
Turns out it let me register as if there was no reCAPTCHA (of course, there was none on screen).
I don't think this is an reCAPTCHA problem. If I use a service like hotfile.com, and I block google/recaptcha, it won't let me continue. I have to enable/unblock in order for it to continue. However, with the cimy plug-in, if i block google/recaptcha, it proceeds as if it never needed the verification.
If I unblock google/recaptcha for when accessing my site using cimy, it works as expected and prevents registration if i mistype the code.
I have not tried any other registration enhancement plug-ins on wordpress, so I don't know if the others would behave similarly.
Role Scoper 1.3.46
Category Icons Lite 1.0.4