WP-Safety

Captcha Them All Security & Risk Analysis

wordpress.org/plugins/captcha-them-all

In any online website, hackers and unscrupulous users will try and attack your website. Whether it is trying to attack your website by brute forcing …

6K active installs v1.4.2 PHP + WP 4.7+ Updated Dec 20, 2023
antispamcapchacaptchacaptcha-numberscaptcha-plugin
85
A · Safe
CVEs total1
Unpatched0
Last CVEApr 18, 2023
Plugin page Download
Safety Verdict

Is Captcha Them All Safe to Use in 2026?

Generally Safe

Score 85/100

Captcha Them All has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 18, 2023Updated 2yr ago
Risk Assessment

The "captcha-them-all" v1.4.2 plugin exhibits a mixed security posture. While it has a limited attack surface with no identified entry points requiring authentication and a recent history of no unpatched vulnerabilities, several concerning aspects emerge from the static analysis. The presence of a dangerous function like `proc_open` and a significant percentage of output not being properly escaped (75%) raises red flags regarding potential code execution or cross-site scripting vulnerabilities.

The taint analysis further highlights these concerns, with 5 out of 7 flows having unsanitized paths, including two of high severity. This indicates potential pathways for malicious input to be processed in an unsafe manner. Coupled with the history of a medium severity Cross-site Scripting vulnerability in the past, these taint flow results suggest a continued risk in how user-supplied data is handled within the plugin.

Despite the lack of an apparent attack surface through AJAX, REST API, shortcodes, or cron events in this version, and the absence of unpatched CVEs, the internal code quality concerning output escaping and unsanitized data flows is a significant weakness. The use of `proc_open` without clear context on its usage and sanitization is also a point of concern. While the plugin has strengths in its limited exposure and recent patch status, the inherent risks in data handling and the presence of dangerous functions necessitate caution.

Key Concerns

  • High severity taint flows found
  • Flows with unsanitized paths
  • Dangerous function (proc_open) found
  • Low percentage of properly escaped output
  • Medium severity CVE in history
Vulnerabilities
1 published

Captcha Them All Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-30786medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Captcha Them All <= 1.3.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 18, 2023 Patched in 1.4 (280d)
Version History

Captcha Them All Release Timeline

v1.4.2Current
v1.4.1
v1.4
v1.3.31 CVE
CVE-2023-30786
v1.3.21 CVE
CVE-2023-30786
v1.3.11 CVE
CVE-2023-30786
v1.31 CVE
CVE-2023-30786
v1.21 CVE
CVE-2023-30786
v1.1.11 CVE
CVE-2023-30786
v1.11 CVE
CVE-2023-30786
v1.0.21 CVE
CVE-2023-30786
v1.0.11 CVE
CVE-2023-30786
v1.01 CVE
CVE-2023-30786
Code Analysis
Analyzed Mar 16, 2026

Captcha Them All Code Analysis

Dangerous Functions
1
Raw SQL Queries
10
8 prepared
Unescaped Output
44
15 escaped
Nonce Checks
3
Capability Checks
2
File Operations
28
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

proc_open$proc = proc_open($cmd, $descriptors, $pipes);securimage\securimage.php:3201

SQL Query Safety

44% prepared18 total queries

Output Escaping

25% escaped59 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

7 flows5 with unsanitized paths
validateCaptchaResponse (captcha-them-all.php:689)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Captcha Them All Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 27
actionadmin_noticescaptcha-them-all.php:1401
actionlogin_formcaptcha-them-all.php:1441
actionwoocommerce_login_formcaptcha-them-all.php:1442
actionregister_formcaptcha-them-all.php:1443
actionwoocommerce_register_formcaptcha-them-all.php:1444
actionlostpassword_formcaptcha-them-all.php:1445
actionwoocommerce_lostpassword_formcaptcha-them-all.php:1446
actioncomment_form_after_fieldscaptcha-them-all.php:1447
actionwpcf7_initcaptcha-them-all.php:1453
filterwpcf7_validate_cta_recaptcha*captcha-them-all.php:1459
filterauthenticatecaptcha-them-all.php:1483
filterregistration_errorscaptcha-them-all.php:1490
filterwoocommerce_registration_errorscaptcha-them-all.php:1491
filterwoocommerce_registration_error_email_existscaptcha-them-all.php:1492
filterplugin_action_links_captcha-them-all/captcha-them-all.phpcaptcha-them-all.php:1499
actionlostpassword_postcaptcha-them-all.php:1507
filterpre_comment_approvedcaptcha-them-all.php:1513
actionsend_headerscaptcha-them-all.php:1519
actionsend_headerscaptcha-them-all.php:1525
actionwoocommerce_after_checkout_registration_formcaptcha-them-all.php:1531
actionadmin_initcaptcha-them-all.php:1538
actionlogin_enqueue_scriptscaptcha-them-all.php:1544
actionwp_enqueue_scriptscaptcha-them-all.php:1545
actionadmin_menucaptcha-them-all.php:1551
actionwp_login_failedcaptcha-them-all.php:1563
actionwp_logincaptcha-them-all.php:1569
actionadmin_initcaptcha-them-all.php:1575
Maintenance & Trust

Captcha Them All Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8
Last updatedDec 20, 2023
PHP min version
Downloads47K

Community Trust

Rating94/100
Number of ratings15
Active installs6K
Alternatives

Captcha Them All Alternatives

Spam protection, Honeypot, Anti-Spam by CleanTalk

Spam protection, Honeypot, Anti-Spam by CleanTalk

cleantalk-spam-protect

B
76

Blocks spam comments, fake users, contact form spam and more. No impact on SEO. Privacy focused. CAPTCHA free, premium Antispam plugin.

200K 13 CVEs
CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

advanced-nocaptcha-recaptcha

A
99

Use CAPTCHA to stop spam and allow customers & users to interact with your website easily. Block fake accounts and orders. Avoid false positives.

100K 1 CVE
reCaptcha by BestWebSoft

reCaptcha by BestWebSoft

google-captcha

A
98

Protect WordPress website forms from spam entries with Google reCAPTCHA.

100K 3 CVEs
hCaptcha for WP

hCaptcha for WP

hcaptcha-for-forms-and-more

A
98

The strongest CAPTCHA. Switch from reCAPTCHA and Turnstile for free. Works with 60+ integrations: Contact Form 7, Elementor, WooCommerce, Divi, etc.

70K 2 CVEs
Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms

Captcha by BestWebSoft – Advanced Spam Protection, Math & OCR-Friendly Captcha for Site Forms

captcha-bws

A
99

1 The Ultimate Spam Protection Plugin Using Captcha for WordPress Forms.

10K 2 CVEs
Developer Profile

Captcha Them All Developer Profile

FuzzGuard

5 plugins · 8K total installs

69
trust score
Avg Security Score
85/100
Avg Patch Time
280 days
View full developer profile
Detection Fingerprints

How We Detect Captcha Them All

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/captcha-them-all/css/cta.css
Script Paths
https://www.google.com/recaptcha/api.js?onload=onloadCallback&render=explicit&hl=/wp-content/plugins/captcha-them-all/visualcaptcha/public/visualcaptcha.css/wp-content/plugins/captcha-them-all/visualcaptcha/public/visualcaptcha.jquery.js/wp-content/plugins/captcha-them-all/visualcaptcha/public/visualcaptcha.bootstrap.js
Version Parameters
captcha-them-all/style.css?ver=captcha-them-all/visualcaptcha/public/visualcaptcha.css?ver=captcha-them-all/visualcaptcha/public/visualcaptcha.jquery.js?ver=captcha-them-all/visualcaptcha/public/visualcaptcha.bootstrap.js?ver=

HTML / DOM Fingerprints

CSS Classes
visualcaptcha-canvas
Data Attributes
data-captcha-params
JS Globals
captchaParams
FAQ

Frequently Asked Questions about Captcha Them All