WP-Safety

CF7 Invisible reCAPTCHA Security & Risk Analysis

wordpress.org/plugins/cf7-invisible-recaptcha

CF7 Invisible reCAPTCHA plugin is an effective solution that secures your Contact form 7 forms on WordPress websites from spam entries while letting h …

7K active installs v1.3.4 PHP + WP 4.5+ Updated May 16, 2023
cf7-invisible-recaptchacontact-form-7-invisible-recaptchainvisible-recaptcha
84
B · Generally Safe
CVEs total2
Unpatched0
Last CVEMar 14, 2023
Plugin page Download
Safety Verdict

Is CF7 Invisible reCAPTCHA Safe to Use in 2026?

Mostly Safe

Score 84/100

CF7 Invisible reCAPTCHA is generally safe to use though it hasn't been updated recently. 2 past CVEs were resolved. Keep it updated.

2 known CVEsLast CVE: Mar 14, 2023Updated 2yr ago
Risk Assessment

The plugin "cf7-invisible-recaptcha" v1.3.4 exhibits a mixed security posture. On the positive side, it boasts a small attack surface with only two AJAX entry points, neither of which are unprotected. The code also demonstrates good practices by exclusively using prepared statements for all SQL queries and includes nonce checks for its AJAX handlers. However, concerns arise from the output escaping, where only 52% of outputs are properly escaped, indicating a potential for Cross-Site Scripting (XSS) vulnerabilities. The plugin also makes two external HTTP requests, which could be a vector for various attacks if not handled securely.

The vulnerability history reveals two previously discovered medium-severity vulnerabilities, specifically Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS). While there are no currently unpatched CVEs, the recurring nature of these vulnerability types suggests potential weaknesses in how user input is handled and validated. The last reported vulnerability was in March 2023, which is relatively recent. The taint analysis shows no unsanitized paths or critical/high severity flows, which is a positive sign. Overall, the plugin has made progress in security, but the output escaping and past vulnerability trends warrant careful consideration.

Key Concerns

  • 52% of outputs properly escaped
  • 2 medium severity CVEs in history
Vulnerabilities
2

CF7 Invisible reCAPTCHA Security Vulnerabilities

CVEs by Year

1 CVE in 2018
2018
1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2023-28167medium · 4.3Cross-Site Request Forgery (CSRF)

CF7 Invisible reCAPTCHA <= 1.3.3 - Cross-Site Request Forgery via vsz_cf7_invisible_recaptcha_page

Mar 14, 2023 Patched in 1.3.4 (315d)
CVE-2018-21012medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CF7 Invisible reCAPTCHA < 1.3.2 - Cross-Site Scripting

May 16, 2018 Patched in 1.3.2 (2078d)
Code Analysis
Analyzed Mar 16, 2026

CF7 Invisible reCAPTCHA Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
14
15 escaped
Nonce Checks
3
Capability Checks
0
File Operations
0
External Requests
2
Bundled Libraries
0

Output Escaping

52% escaped29 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
vsz_cf7_invisible_recaptcha_page (cf7-Invisible-recaptcha.php:54)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

CF7 Invisible reCAPTCHA Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_vsz_cf7_secret_keycf7-Invisible-recaptcha.php:586
noprivwp_ajax_vsz_cf7_secret_keycf7-Invisible-recaptcha.php:587
WordPress Hooks 6
actionadmin_menucf7-Invisible-recaptcha.php:34
actionwp_enqueue_scriptscf7-Invisible-recaptcha.php:442
filterwpcf7_form_elementscf7-Invisible-recaptcha.php:627
filterwpcf7_validatecf7-Invisible-recaptcha.php:630
filterwpcf7_display_messagecf7-Invisible-recaptcha.php:631
filterwpcf7_form_elementscf7-Invisible-recaptcha.php:713
Maintenance & Trust

CF7 Invisible reCAPTCHA Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9
Last updatedMay 16, 2023
PHP min version
Downloads83K

Community Trust

Rating62/100
Number of ratings14
Active installs7K
Alternatives

CF7 Invisible reCAPTCHA Alternatives

Invisible reCaptcha for WordPress

Invisible reCaptcha for WordPress

invisible-recaptcha

A
85

Invisible reCaptcha for WordPress plugin helps you to protect your sites against bad spam bots using the new Invisible reCaptcha by Google.

90K No CVEs
Invisible Anti Spam for Contact Form 7 (Simple No-Bot)

Invisible Anti Spam for Contact Form 7 (Simple No-Bot)

simple-no-bot

A
85

Simple, lightweight, no captcha, no configuration. Just works.

200 No CVEs
Developer Profile

CF7 Invisible reCAPTCHA Developer Profile

Vsourz Digital

8 plugins · 78K total installs

65
trust score
Avg Security Score
80/100
Avg Patch Time
845 days
View full developer profile
Detection Fingerprints

How We Detect CF7 Invisible reCAPTCHA

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cf7-invisible-recaptcha/css/admin.css/wp-content/plugins/cf7-invisible-recaptcha/css/font-awesome.css/wp-content/plugins/cf7-invisible-recaptcha/js/admin.js/wp-content/plugins/cf7-invisible-recaptcha/js/recaptcha.js
Version Parameters
cf7-invisible-recaptcha/style.css?ver=cf7-invisible-recaptcha/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
cf7-headvsz_recaptcha_setupvsz_recaptcha_setup_msgvsz_captcha_site_key
HTML Comments
It is possible that some or all functions may not work proper if you are using some other invisible recaptcha functionality providing plugin.It is advisable to validate your key before saving.
Data Attributes
data-sitekey
JS Globals
grecaptcha
FAQ

Frequently Asked Questions about CF7 Invisible reCAPTCHA