WP-Safety

[凹凸曼]中文验证码 Security & Risk Analysis

wordpress.org/plugins/apoyl-captcha

实现网站登录用户和注册用户的时候,显示弹层中文点击验证码,防止恶意注册,恶意内容发表,恶意评论.

10 active installs v1.4.0 PHP 7.4+ WP 6.0+ Updated Apr 24, 2025
captcha%e7%82%b9%e5%87%bb%e9%aa%8c%e8%af%81%e9%aa%8c%e8%af%81%e7%a0%81
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is [凹凸曼]中文验证码 Safe to Use in 2026?

Generally Safe

Score 100/100

[凹凸曼]中文验证码 has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11mo ago
Risk Assessment

The "apoyl-captcha" plugin version 1.4.0 exhibits a mixed security posture. On the positive side, it demonstrates good practices in several areas. The absence of any known CVEs, critical taint flows, raw SQL queries, external HTTP requests, and bundled libraries suggests a well-maintained and secure codebase in these respects. The majority of its output is properly escaped, and it includes nonce checks, which are fundamental security measures.

However, a significant concern arises from the presence of an unprotected AJAX handler. With a total of one entry point, and that being without authentication checks, this creates a direct pathway for unauthenticated users to interact with the plugin's backend functionality. While taint analysis shows no critical or high-severity vulnerabilities in its flows, the lack of authorization on this AJAX endpoint could potentially lead to various vulnerabilities if the handler performs sensitive actions or manipulates data without proper checks. This single unprotected entry point is the most prominent weakness identified.

In conclusion, while "apoyl-captcha" v1.4.0 has a strong history of security and implements several good coding practices, the unprotected AJAX handler represents a notable vulnerability. If this AJAX handler performs any action that can be leveraged by an attacker, it could lead to exploitation. Therefore, while the overall history is reassuring, this specific code artifact warrants immediate attention and remediation.

Key Concerns

  • Unprotected AJAX handler
  • Low percentage of properly escaped output
Vulnerabilities
None known

[凹凸曼]中文验证码 Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

[凹凸曼]中文验证码 Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
2
8 escaped
Nonce Checks
2
Capability Checks
0
File Operations
1
External Requests
0
Bundled Libraries
0

Output Escaping

80% escaped10 total outputs
Attack Surface
1 unprotected

[凹凸曼]中文验证码 Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

noprivwp_ajax_apoyl_captcha_ajaxincludes\captcha.php:64
WordPress Hooks 4
actionplugins_loadedincludes\captcha.php:46
actionadmin_menuincludes\captcha.php:51
actionlogin_enqueue_scriptsincludes\captcha.php:61
actionregister_formincludes\captcha.php:63
Maintenance & Trust

[凹凸曼]中文验证码 Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 24, 2025
PHP min version7.4
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

[凹凸曼]中文验证码 Alternatives

SiteGuard WP Plugin

SiteGuard WP Plugin

siteguard

B
76

SiteGurad WP Plugin is the plugin specialized for the protection against the attack to the management page and login.

600K 1 unpatched
CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

contact-form-7-honeypot

A
100

Addons for Contact Form 7 — Honeypot, Database Entries, Redirection, Spam Protection, Webhooks, ACF integration for Contact Form 7, and more.

300K No CVEs
Really Simple CAPTCHA

Really Simple CAPTCHA

really-simple-captcha

A
92

Really Simple CAPTCHA is a CAPTCHA module intended to be called from other plugins. It is originally created for my Contact Form 7 plugin.

300K No CVEs
Advanced Google reCAPTCHA

Advanced Google reCAPTCHA

advanced-google-recaptcha

A
98

Captcha protection against spam comments & brute force login attacks using Google reCAPTCHA.

200K 3 CVEs
Spam protection, Honeypot, Anti-Spam by CleanTalk

Spam protection, Honeypot, Anti-Spam by CleanTalk

cleantalk-spam-protect

B
76

Blocks spam comments, fake users, contact form spam and more. No impact on SEO. Privacy focused. CAPTCHA free, premium Antispam plugin.

200K 13 CVEs
Developer Profile

[凹凸曼]中文验证码 Developer Profile

apoyl

27 plugins · 710 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect [凹凸曼]中文验证码

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/apoyl-captcha/public/css/captcha.css/wp-content/plugins/apoyl-captcha/public/js/js.cookie.min.js/wp-content/plugins/apoyl-captcha/public/js/clicaptcha.js/wp-content/plugins/apoyl-captcha/admin/css/admin.css/wp-content/plugins/apoyl-captcha/admin/js/admin.js
Script Paths
/wp-content/plugins/apoyl-captcha/public/js/js.cookie.min.js/wp-content/plugins/apoyl-captcha/public/js/clicaptcha.js/wp-content/plugins/apoyl-captcha/admin/js/admin.js
Version Parameters
apoyl-captcha?ver=apoyl-captcha/css/admin.css?ver=apoyl-captcha/js/admin.js?ver=apoyl-captcha/api/clicaptcha/css/captcha.css?ver=apoyl-captcha/public/js/js.cookie.min.js?ver=apoyl-captcha/public/js/clicaptcha.js?ver=

HTML / DOM Fingerprints

CSS Classes
apoyl-captcha-mainapoyl-captcha-content
HTML Comments
<!-- The plugin is ready to go --><!-- This is the main content that will be displayed --><!-- This is the content for the captcha pop-up --><!-- Here goes the interactive elements for the captcha -->
Data Attributes
data-apoyl-captcha-urldata-apoyl-captcha-actiondata-apoyl-captcha-id
JS Globals
apoyl_captcha_urlapoyl_captcha_settings
REST Endpoints
/wp-json/apoyl-captcha/v1/settings
Shortcode Output
[apoyl_captcha][apoyl_captcha type="image"][apoyl_captcha type="text"]
FAQ

Frequently Asked Questions about [凹凸曼]中文验证码