WP-Safety

ARCaptcha – Puzzle Captcha | New-generation Captcha and bot protection Security & Risk Analysis

wordpress.org/plugins/arcaptcha

Enables ARCaptcha integration with WordPress.

200 active installs v1.13 PHP 5.6+ WP 4.4+ Updated Feb 8, 2025
arcaptchacaptcharecaptchaspam%da%a9%d9%be%da%86%d8%a7
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is ARCaptcha – Puzzle Captcha | New-generation Captcha and bot protection Safe to Use in 2026?

Generally Safe

Score 92/100

ARCaptcha – Puzzle Captcha | New-generation Captcha and bot protection has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The ARCaptcha plugin v1.13 exhibits a generally good security posture with several strong practices in place. The plugin demonstrates excellent SQL hygiene, with all queries utilizing prepared statements, and a high percentage of output is properly escaped. The absence of critical or high severity taint flows, dangerous functions, file operations, and known CVEs further indicates a robust development approach. However, there are notable security concerns. A significant attack surface is exposed through AJAX handlers that lack authentication checks. While the total number of these handlers is small, the absence of proper authorization mechanisms is a significant risk, potentially allowing unauthorized users to trigger plugin functionality. The limited number of nonce and capability checks, coupled with the unprotected AJAX handlers, suggests areas where security controls could be strengthened.

In conclusion, ARCaptcha v1.13 has commendable technical security features, particularly in its handling of data and avoidance of known vulnerabilities. The plugin's vulnerability history is clean, which is a positive indicator. The primary weakness lies in the exposure of AJAX endpoints without adequate access control. Addressing these unprotected entry points should be the priority for improving the plugin's overall security. The lack of critical vulnerabilities in its history is a strength, but the identified attack surface issues warrant attention to maintain a secure state.

Key Concerns

  • Unprotected AJAX handlers
  • Limited nonce checks
  • Limited capability checks
Vulnerabilities
None known

ARCaptcha – Puzzle Captcha | New-generation Captcha and bot protection Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

ARCaptcha – Puzzle Captcha | New-generation Captcha and bot protection Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
4
57 escaped
Nonce Checks
2
Capability Checks
1
File Operations
0
External Requests
1
Bundled Libraries
0

Output Escaping

93% escaped61 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
arcap_display_options_page (backend\settings.php:20)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

ARCaptcha – Puzzle Captcha | New-generation Captcha and bot protection Attack Surface

Entry Points5
Unprotected3

AJAX Handlers 3

noprivwp_ajax_digits_submit_formdigits\digits.php:17
noprivwp_ajax_digits_check_mobdigits\digits.php:19
authwp_ajax_digits_check_mobdigits\digits.php:21

Shortcodes 2

[arcaptcha] common\functions.php:91
[cf7-arcaptcha] src\php\CF7\CF7.php:40
WordPress Hooks 39
actionbefore_woocommerce_initarcaptcha.php:70
actionplugins_loadedarcaptcha.php:187
actionwp_enqueue_scriptsarcaptcha.php:203
actionlogin_enqueue_scriptsarcaptcha.php:204
actionplugins_loadedarcaptcha.php:218
actionadmin_menubackend\nav.php:34
filterscript_loader_tagcommon\functions.php:3
actioncomment_form_after_fieldsdefault\comment-form.php:29
filtercomment_form_field_commentdefault\comment-form.php:57
filterpreprocess_commentdefault\comment-form.php:84
filterlogin_formdefault\login-form.php:30
filterwp_authenticate_userdefault\login-form.php:67
actionlostpassword_formdefault\lost-password.php:15
actionlostpassword_postdefault\lost-password.php:16
filterregister_formdefault\register-form.php:30
filterregistration_errorsdefault\register-form.php:57
actionwp_print_footer_scriptsdigits\digits.php:8
filterscript_loader_tagdigits\digits.php:9
actionwp_print_footer_scriptsdigits\digits.php:12
filterscript_loader_tagdigits\digits.php:13
filterwpcf7_form_elementssrc\php\CF7\CF7.php:39
filterwpcf7_validatesrc\php\CF7\CF7.php:41
actionwp_print_footer_scriptssrc\php\CF7\CF7.php:42
actionwp_print_footer_scriptssrc\php\ElementorPro\ARCaptchaField.php:13
actionelementor/preview/initsrc\php\ElementorPro\ARCaptchaField.php:15
filterelementor_pro/forms/render/itemsrc\php\ElementorPro\ARCaptchaField.php:17
actionwp_footersrc\php\ElementorPro\ARCaptchaField.php:50
actionelementor_pro/forms/fields/registersrc\php\ElementorPro\ElementorPro.php:14
filterwoocommerce_order_button_htmlwc\wc-checkout.php:45
actionwoocommerce_after_checkout_billing_formwc\wc-checkout.php:59
actionwoocommerce_checkout_processwc\wc-checkout.php:76
actionwoocommerce_login_formwc\wc-login.php:30
filterwoocommerce_process_login_errorswc\wc-login.php:57
actionwoocommerce_lostpassword_formwc\wc-lost-password.php:15
actionlostpassword_postwc\wc-lost-password.php:18
actionwoocommerce_register_formwc\wc-register.php:30
filterwoocommerce_process_registration_errorswc\wc-register.php:55
filterwpforms_display_submit_beforewpforms\wpforms.php:28
filterwpforms_processwpforms\wpforms.php:57
Maintenance & Trust

ARCaptcha – Puzzle Captcha | New-generation Captcha and bot protection Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedFeb 8, 2025
PHP min version5.6
Downloads6K

Community Trust

Rating100/100
Number of ratings5
Active installs200
Alternatives

ARCaptcha – Puzzle Captcha | New-generation Captcha and bot protection Alternatives

ReCaptcha v2 for Contact Form 7

ReCaptcha v2 for Contact Form 7

wpcf7-recaptcha

A
100

Adds reCaptcha v2 from Contact Form 7 5.0.5 that was dropped on Contact Form 7 5.1

200K No CVEs
CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

advanced-nocaptcha-recaptcha

A
99

Use CAPTCHA to stop spam and allow customers & users to interact with your website easily. Block fake accounts and orders. Avoid false positives.

100K 1 CVE
Captcha Code

Captcha Code

captcha-code-authentication

A
99

GDPR compatible captcha anti-spam protection for login form, comments form, registration form & lost password form. Eliminate spam with captcha.

100K 2 CVEs
Contact Form 7 Captcha

Contact Form 7 Captcha

contact-form-7-simple-recaptcha

A
99

Protect your Contact Form 7 forms with Google reCAPTCHA V2, Google reCAPTCHA V3, hCAPTCHA, or Cloudflare Turnstile.

100K 2 CVEs
reCaptcha by BestWebSoft

reCaptcha by BestWebSoft

google-captcha

A
98

Protect WordPress website forms from spam entries with Google reCAPTCHA.

100K 3 CVEs
Developer Profile

ARCaptcha – Puzzle Captcha | New-generation Captcha and bot protection Developer Profile

arcaptcha

1 plugin · 200 total installs

88
trust score
Avg Security Score
92/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect ARCaptcha – Puzzle Captcha | New-generation Captcha and bot protection

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/arcaptcha/default/invisible.js
Script Paths
https://widget.arcaptcha.ir/1/api.js
Version Parameters
arcaptcha-script

HTML / DOM Fingerprints

CSS Classes
arcaptcha
Data Attributes
data-site-keydata-langdata-colordata-theme
Shortcode Output
[arcaptcha]
FAQ

Frequently Asked Questions about ARCaptcha – Puzzle Captcha | New-generation Captcha and bot protection