Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms Security & Risk Analysis

wordpress.org/plugins/captcha-bws

1 The Ultimate Spam Protection Plugin Using Captcha for WordPress Forms.

10K active installs v5.2.7 PHP + WP 6.2+ Updated Dec 3, 2025

antispamcaptchacaptcha-woocommercesecurityspam-protection

A · Safe

CVEs total2

Unpatched0

Last CVEApr 5, 2024

Plugin page Download

Safety Verdict

Is Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms Safe to Use in 2026?

Generally Safe

Score 99/100

Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Apr 5, 2024Updated 4mo ago

Risk Assessment

The "captcha-bws" plugin version 5.2.7 exhibits a mixed security posture. While it demonstrates good practices like a high percentage of properly escaped outputs and a significant use of prepared statements for SQL queries, there are notable areas of concern. The presence of two AJAX handlers without authentication checks presents a direct entry point for potential exploitation. Furthermore, the taint analysis identified two flows with unsanitized paths, categorized as high severity, which could lead to data manipulation or unauthorized access if these paths are reachable by unauthenticated users.

The plugin's vulnerability history shows two previously disclosed medium-severity vulnerabilities, both related to guessable CAPTCHAs. While currently no unpatched vulnerabilities exist, the recurring theme of CAPTCHA weaknesses suggests a potential for similar issues to resurface or be discovered. The last vulnerability was relatively recent, indicating ongoing security scrutiny.

In conclusion, "captcha-bws" v5.2.7 has strengths in output escaping and SQL query sanitization. However, the unprotected AJAX endpoints and high-severity taint flows are significant risks that require immediate attention. The historical pattern of CAPTCHA-related vulnerabilities also warrants vigilance. Addressing these specific weaknesses would greatly improve the plugin's overall security.

Key Concerns

Unprotected AJAX handlers
High severity unsanitized taint flows
Use of unserialize function
Medium severity CVEs in history

Vulnerabilities

Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms Security Vulnerabilities

CVEs by Year

1 CVE in 2014

2014

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2024-31295medium · 5.3Guessable CAPTCHA

Captcha by BestWebSoft <= 5.2.0 - Captcha Bypass

Apr 5, 2024 Patched in 5.2.1 (7d)

CVE-2014-9283medium · 5.3Guessable CAPTCHA

BestWebSoft Captcha <= 4.0.6 - CAPTCHA Bypass

Dec 5, 2014 Patched in 4.0.7 (3336d)

Code Analysis

Analyzed Mar 16, 2026

Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms Code Analysis

Dangerous Functions

Raw SQL Queries

19 prepared

Unescaped Output

652 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$settings = unserialize( $item['settings'] );includes\class-cptch-package-list.php:229

unserialize$settings = unserialize( $pack['settings'] );includes\class-cptch-settings-tabs.php:1178

SQL Query Safety

63% prepared30 total queries

Output Escaping

94% escaped697 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

8 flows2 with unsanitized paths

bws_add_menu_render (bws_menu\bws_menu.php:18)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms Attack Surface

Entry Points7

Unprotected2

AJAX Handlers 6

authwp_ajax_bws_submit_request_feature_actionbws_menu\class-bws-settings.php:1466

authwp_ajax_bws_submit_uninstall_reason_actionbws_menu\deactivation-form.php:433

authwp_ajax_cptch_reloadcaptcha-bws.php:2504

noprivwp_ajax_cptch_reloadcaptcha-bws.php:2505

noprivwp_ajax_validate_slide_captchacaptcha-bws.php:2516

authwp_ajax_validate_slide_captchacaptcha-bws.php:2517

Shortcodes 1

[bws_captcha] captcha-bws.php:2510

WordPress Hooks 54

filterload_textdomain_mofilebws_menu\bws_functions.php:43

filtermce_external_pluginsbws_menu\bws_functions.php:1146

filtermce_buttonsbws_menu\bws_functions.php:1147

actionadmin_initbws_menu\bws_functions.php:1433

actionadmin_enqueue_scriptsbws_menu\bws_functions.php:1434

actionadmin_headbws_menu\bws_functions.php:1435

actionadmin_footerbws_menu\bws_functions.php:1436

actionadmin_noticesbws_menu\bws_functions.php:1438

actionwp_enqueue_scriptsbws_menu\bws_functions.php:1440

actionlogin_formcaptcha-bws.php:197

filterauthenticatecaptcha-bws.php:199

actionregister_formcaptcha-bws.php:208

actionsignup_extra_fieldscaptcha-bws.php:209

actionsignup_blogformcaptcha-bws.php:210

filterregistration_errorscaptcha-bws.php:213

filterwpmu_validate_user_signupcaptcha-bws.php:215

filterwpmu_validate_blog_signupcaptcha-bws.php:216

actionlostpassword_formcaptcha-bws.php:225

filterallow_password_resetcaptcha-bws.php:227

filterthe_password_formcaptcha-bws.php:235

filterpost_password_expirescaptcha-bws.php:237

filterpost_password_requiredcaptcha-bws.php:238

actioncomment_form_after_fieldscaptcha-bws.php:250

actioncomment_form_logged_in_aftercaptcha-bws.php:251

actioncomment_formcaptcha-bws.php:258

filterpreprocess_commentcaptcha-bws.php:260

filtercntctfrmpr_display_captchacaptcha-bws.php:268

filtercntctfrm_display_captchacaptcha-bws.php:269

filtercntctfrm_check_formcaptcha-bws.php:271

filtercntctfrmpr_check_formcaptcha-bws.php:272

filterlgnrgstrfrm_add_fieldcaptcha-bws.php:278

filterlgnrgstrfrm_check_fieldcaptcha-bws.php:279

actionwp_footercaptcha-bws.php:1583

actionlogin_footercaptcha-bws.php:1589

actionadmin_menucaptcha-bws.php:2487

actioninitcaptcha-bws.php:2489

actionadmin_initcaptcha-bws.php:2490

actionplugins_loadedcaptcha-bws.php:2492

filterplugin_action_linkscaptcha-bws.php:2495

filterplugin_row_metacaptcha-bws.php:2496

actionadmin_noticescaptcha-bws.php:2498

actionadmin_enqueue_scriptscaptcha-bws.php:2500

actionwp_enqueue_scriptscaptcha-bws.php:2501

actionlogin_enqueue_scriptscaptcha-bws.php:2502

filtercptch_displaycaptcha-bws.php:2507

filtercptch_verifycaptcha-bws.php:2508

filterbws_shortcode_button_contentcaptcha-bws.php:2511

filterlogin_form_middlecaptcha-bws.php:2514

actiondelete_expired_responsescaptcha-bws.php:2520

filterfrm_available_fieldsincludes\captcha-for-formidable.php:103

filterfrm_before_field_createdincludes\captcha-for-formidable.php:105

actionfrm_display_added_fieldsincludes\captcha-for-formidable.php:106

actionfrm_form_fieldsincludes\captcha-for-formidable.php:107

filterfrm_validate_field_entryincludes\captcha-for-formidable.php:108

Scheduled Events 1

delete_expired_responses

Maintenance & Trust

Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 3, 2025

PHP min version

Downloads199K

Community Trust

Rating82/100

Number of ratings20

Active installs10K

Alternatives

Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms Alternatives

Captcha Spam Blocker

captcha-spam-blocker

100

Enhance your site’s security with dynamic CAPTCHA, blocking spam and bot access on forms. GDPR-compliant.

50 No CVEs

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

advanced-nocaptcha-recaptcha

Use CAPTCHA to stop spam and allow customers & users to interact with your website easily. Block fake accounts and orders. Avoid false positives.

100K 1 CVE

reCaptcha by BestWebSoft

google-captcha

Protect WordPress website forms from spam entries with Google reCAPTCHA.

100K 3 CVEs

reCAPTCHA in WP comments form

recaptcha-in-wp-comments-form

reCAPTCHA in WP comments form is an ANTISPAM tool that adds a Google reCAPTCHA to the comments form and protects your site from the spam robots threat …

9K No CVEs

$WP Advanced Math Captcha$

WP Advanced Math Captcha

wp-advanced-math-captcha

100

Protect your WordPress site with a powerful and user-friendly Math Captcha. Now with seamless WooCommerce, WPForms, and Formidable Forms integration!

7K No CVEs

Developer Profile

Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms Developer Profile

bestwebsoft

17 plugins · 207K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

1729 days

View full developer profile

Detection Fingerprints

How We Detect Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/captcha-bws/css/captcha.css/wp-content/plugins/captcha-bws/css/jquery.countdown.css/wp-content/plugins/captcha-bws/js/captcha.js/wp-content/plugins/captcha-bws/js/jquery.countdown.min.js/wp-content/plugins/captcha-bws/js/jquery.bws-textarea-maxlength.js/wp-content/plugins/captcha-bws/bws_menu/css/bws-admin.css/wp-content/plugins/captcha-bws/bws_menu/js/bws-admin.js/wp-content/plugins/captcha-bws/includes/captcha-for-formidable.css

Script Paths

/wp-content/plugins/captcha-bws/js/captcha.js/wp-content/plugins/captcha-bws/js/jquery.countdown.min.js/wp-content/plugins/captcha-bws/js/jquery.bws-textarea-maxlength.js/wp-content/plugins/captcha-bws/bws_menu/js/bws-admin.js

Version Parameters

captcha-bws/css/captcha.css?ver=captcha-bws/css/jquery.countdown.css?ver=captcha-bws/js/captcha.js?ver=captcha-bws/js/jquery.countdown.min.js?ver=captcha-bws/js/jquery.bws-textarea-maxlength.js?ver=captcha-bws/bws_menu/css/bws-admin.css?ver=captcha-bws/bws_menu/js/bws-admin.js?ver=captcha-bws/includes/captcha-for-formidable.css?ver=

HTML / DOM Fingerprints

CSS Classes

bws_captcha_error

Data Attributes

data-bws-captcha-site-key

JS Globals

cptch_data

FAQ