WP-Safety

Cartpauj Register Captcha Security & Risk Analysis

wordpress.org/plugins/cartpauj-register-captcha

Cartpauj Register Captcha does one simple task. It prevents SPAM signups through WordPress' default registration form.

1K active installs v2.0.1 PHP + WP 6.0+ Updated May 20, 2025
captchalogin-securityprotectionrecaptchaturnstile
100
A · Safe
CVEs total1
Unpatched0
Last CVEAug 21, 2023
Download
Safety Verdict

Is Cartpauj Register Captcha Safe to Use in 2026?

Generally Safe

Score 100/100

Cartpauj Register Captcha has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Aug 21, 2023Updated 10mo ago
Risk Assessment

The cartpauj-register-captcha plugin v2.0.1 presents a moderate security risk due to significant security oversight in its implementation. While the plugin avoids dangerous functions, raw SQL queries, and external HTTP requests, it critically lacks authentication and capability checks on its AJAX handlers. The static analysis reveals two AJAX entry points, both completely unprotected, creating a substantial attack surface for unauthenticated users. Furthermore, a flow with unsanitized paths, even if not rated critical or high, points to a potential for mishandling input that could lead to unintended behavior or information disclosure. The plugin's vulnerability history, while showing no currently unpatched CVEs, does indicate a past vulnerability related to 'Guessable CAPTCHA', suggesting potential weaknesses in its core functionality that attackers might exploit. The absence of nonces and capability checks on AJAX actions is a glaring security flaw that directly exposes these functions to manipulation. Despite the positive aspects like prepared SQL statements and external request avoidance, the unprotected AJAX endpoints are a major concern that could be exploited to disrupt registration or potentially cause other issues depending on the handler's functionality.

Key Concerns

  • Unprotected AJAX handlers (2)
  • Missing nonce checks on AJAX
  • Missing capability checks on AJAX
  • Flow with unsanitized paths
  • Output escaping (40% unescaped)
Vulnerabilities
1

Cartpauj Register Captcha Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-40673medium · 5.3Guessable CAPTCHA

Cartpauj Register Captcha <= 1.0.02 - CAPTCHA Bypass

Aug 21, 2023 Patched in 2.0.0 (155d)
Code Analysis
Analyzed Mar 16, 2026

Cartpauj Register Captcha Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
2
3 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

60% escaped5 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<cartpauj-register-captcha> (cartpauj-register-captcha.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Cartpauj Register Captcha Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_crcc_get_imgcartpauj-register-captcha.php:52
noprivwp_ajax_crcc_get_imgcartpauj-register-captcha.php:53
WordPress Hooks 3
actionregister_formcartpauj-register-captcha.php:70
actionregister_postcartpauj-register-captcha.php:92
actionplugins_loadedcartpauj-register-captcha.php:107
Maintenance & Trust

Cartpauj Register Captcha Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMay 20, 2025
PHP min version
Downloads39K

Community Trust

Rating84/100
Number of ratings24
Active installs1K
Alternatives

Cartpauj Register Captcha Alternatives

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

advanced-nocaptcha-recaptcha

A
99

Use CAPTCHA to stop spam and allow customers & users to interact with your website easily. Block fake accounts and orders. Avoid false positives.

100K 1 CVE
DoLogin Security

DoLogin Security

dologin

A
98

Easy Login. 2FA login. Passwordless login. Cloudflare Turnstile reCAPTCHA. GeoLocation (Continent/Country/City)/IP range to limit login attempts.

7K 4 CVEs
BotShield CAPTCHA for Contact Form 7

BotShield CAPTCHA for Contact Form 7

botshield-captcha

A
100

BotShield CAPTCHA for Contact Form 7 – Advanced Spam Protection with Turnstile, reCAPTCHA, Arithmetic, and Alphanumeric.

10 No CVEs
Contact Form 7 Captcha

Contact Form 7 Captcha

contact-form-7-simple-recaptcha

A
99

Protect your Contact Form 7 forms with Google reCAPTCHA V2, Google reCAPTCHA V3, hCAPTCHA, or Cloudflare Turnstile.

100K 2 CVEs
reCAPTCHA in WP comments form

reCAPTCHA in WP comments form

recaptcha-in-wp-comments-form

A
85

reCAPTCHA in WP comments form is an ANTISPAM tool that adds a Google reCAPTCHA to the comments form and protects your site from the spam robots threat &hellip;

9K No CVEs
Developer Profile

Cartpauj Register Captcha Developer Profile

cartpauj

5 plugins · 32K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
1225 days
View full developer profile
Detection Fingerprints

How We Detect Cartpauj Register Captcha

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cartpauj-register-captcha/vendor/captcha/captcha.class.php

HTML / DOM Fingerprints

Shortcode Output
<p> <label for="crcc_code">Enter the characters below</label> <input type="text" name="crcc_code" id="crcc_code" class="input" size="20" required="required" autocomplete="off" /> <br/> <img src="" /> <input type="hidden" name="crcc_code_crypt" value="
FAQ

Frequently Asked Questions about Cartpauj Register Captcha