Thanks for reporting this. We were able to track down a bug introduced in the 1.4x branch whereby the captcha could be bypassed and have resolved it in the 1.5 branch, just released.
Just a followup to say that because the problem in the 1.4 branch arose from unexpected behaviour in WordPress Core we have filed a bug report: https://core.trac.wordpress.org/ticket/46748