WP-Safety

Friendly Captcha for WordPress Security & Risk Analysis

wordpress.org/plugins/friendly-captcha

Friendly Captcha is a privacy-first anti-bot solution that protects WordPress website forms from spam and abuse.

9K active installs v1.16.0 PHP 7.3+ WP 5.0+ Updated Feb 3, 2026
antispamcaptchacontact-formrecaptchaspam
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Friendly Captcha for WordPress Safe to Use in 2026?

Generally Safe

Score 100/100

Friendly Captcha for WordPress has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The Friendly Captcha plugin v1.16.0 exhibits a generally positive security posture, with no known vulnerabilities or critical code signals that would indicate immediate high risk. The absence of any recorded CVEs, coupled with the fact that all SQL queries are properly prepared and there are no critical taint flows, suggests a diligent approach to secure coding practices by the developers. The plugin also appears to have a minimal attack surface, with no exposed AJAX handlers, REST API routes, shortcodes, or cron events that lack authorization checks.

However, there are areas for improvement. The most significant concern is the low rate of proper output escaping, with only 28% of outputs being escaped. This could leave the plugin susceptible to cross-site scripting (XSS) vulnerabilities if user-supplied data is not handled carefully within the plugin's presentation layers. Additionally, the presence of un-checked capability checks is a potential risk, as actions that should be restricted to authenticated users might be accessible to those with lower privileges. The plugin also makes external HTTP requests, which, while not inherently risky, do represent an entry point that should be monitored for potential misuse or data exposure if not properly secured.

In conclusion, Friendly Captcha v1.16.0 is a relatively safe plugin, largely due to its lack of historical vulnerabilities and strong adherence to secure SQL practices. The primary weakness lies in its output escaping, which requires immediate attention to mitigate XSS risks. Addressing this and the capability check oversight would significantly strengthen its overall security.

Key Concerns

  • Low output escaping rate
  • Capability checks missing
Vulnerabilities
None known

Friendly Captcha for WordPress Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Friendly Captcha for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
43
17 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
2
Bundled Libraries
0

Output Escaping

28% escaped60 total outputs
Attack Surface

Friendly Captcha for WordPress Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 84
actionadmin_menuincludes\admin.php:6
filterplugin_action_links_friendly-captcha/friendly-captcha.phpincludes\admin.php:22
actionadmin_noticesincludes\admin.php:58
actionadmin_noticesincludes\admin.php:92
actionadmin_initincludes\settings.php:6
actionfusion_element_button_contentmodules\avada-forms\avada-forms.php:3
filterfusion_form_demo_modemodules\avada-forms\avada-forms.php:4
filterrender_blockmodules\coblocks\coblocks.php:5
filterrender_block_datamodules\coblocks\coblocks.php:6
actioncoblocks_before_form_submitmodules\coblocks\coblocks.php:73
filterpre_option_coblocks_google_recaptcha_site_keymodules\coblocks\coblocks.php:82
filterpre_option_coblocks_google_recaptcha_secret_keymodules\coblocks\coblocks.php:83
filterpre_http_requestmodules\coblocks\coblocks.php:87
actionwp_enqueue_scriptsmodules\contact-form-7\contact-form-7.php:3
filterwpcf7_form_elementsmodules\contact-form-7\contact-form-7.php:27
filterwpcf7_spammodules\contact-form-7\contact-form-7.php:51
actionwpcf7_initmodules\contact-form-7\contact-form-7.php:133
filteret_core_get_third_party_componentsmodules\divi\divi.php:3
filteret_core_api_spam_enabled_providersmodules\divi\divi.php:4
filteroption_et_core_api_spam_optionsmodules\divi\divi.php:5
actioninitmodules\divi\divi.php:6
filterdo_shortcode_tagmodules\divi\divi.php:7
actionwp_enqueue_scriptsmodules\divi\frcaptcha_divi_core_addon.php:24
actionelementor/initmodules\elementor\elementor.php:30
actionelementor_pro/forms/fields/registermodules\elementor\elementor.php:31
actionelementor/preview/initmodules\elementor\field.php:137
actionwp_footermodules\elementor\field.php:142
actionfluentform_render_item_submit_buttonmodules\fluentform\fluentform.php:4
actionfluentform_render_item_step_endmodules\fluentform\fluentform.php:5
filterfluentform_before_insert_submissionmodules\fluentform\fluentform.php:22
actionplugins_loadedmodules\formidable\formidable.php:10
filterfrm_get_field_type_classmodules\formidable\formidable.php:39
filterfrm_available_fieldsmodules\formidable\formidable.php:48
actionforminator_render_button_markupmodules\forminator\forminator.php:3
filterforminator_cform_form_is_submittablemodules\forminator\forminator.php:4
filtergform_init_scripts_footermodules\gravityforms\field.php:96
actiongform_loadedmodules\gravityforms\gravityforms.php:4
filterhf_form_htmlmodules\html-forms\html-forms.php:3
filterhf_validate_formmodules\html-forms\html-forms.php:16
filterhf_form_message_frcaptcha_emptymodules\html-forms\html-forms.php:37
filterhf_form_message_frcaptcha_invalidmodules\html-forms\html-forms.php:41
filterlogin_form_middlemodules\profile-builder\profile_builder_login.php:3
filterauthenticatemodules\profile-builder\profile_builder_login.php:18
filterwppb_after_form_fieldsmodules\profile-builder\profile_builder_register.php:7
actionwppb_output_field_errors_filtermodules\profile-builder\profile_builder_register.php:22
filterwppb_general_top_error_messagemodules\profile-builder\profile_builder_register.php:58
filterwppb_recover_password_generate_password_inputmodules\profile-builder\profile_builder_reset_password.php:3
filterwppb_recover_password_sent_message1modules\profile-builder\profile_builder_reset_password.php:18
filterwppb_recover_password_displayed_message1modules\profile-builder\profile_builder_reset_password.php:43
actionum_after_login_fieldsmodules\ultimate-member\ultimate-member_login.php:3
actionum_submit_form_errors_hookmodules\ultimate-member\ultimate-member_login.php:20
actionum_after_register_fieldsmodules\ultimate-member\ultimate-member_register.php:3
actionum_submit_form_errors_hookmodules\ultimate-member\ultimate-member_register.php:20
actionum_after_password_reset_fieldsmodules\ultimate-member\ultimate-member_reset_password.php:3
actionum_reset_password_errors_hookmodules\ultimate-member\ultimate-member_reset_password.php:20
actionwoocommerce_after_checkout_billing_formmodules\woocommerce\woocommerce_checkout.php:3
actionwoocommerce_checkout_processmodules\woocommerce\woocommerce_checkout.php:27
actionwoocommerce_login_formmodules\woocommerce\woocommerce_login.php:3
actionwoocommerce_process_login_errorsmodules\woocommerce\woocommerce_login.php:27
actionwoocommerce_lostpassword_formmodules\woocommerce\woocommerce_lost_password.php:3
actionwoocommerce_register_formmodules\woocommerce\woocommerce_register.php:3
actionwoocommerce_process_registration_errorsmodules\woocommerce\woocommerce_register.php:27
actioncomment_form_after_fieldsmodules\wordpress\wordpress_comments.php:3
actioncomment_form_logged_in_aftermodules\wordpress\wordpress_comments.php:19
filterpreprocess_commentmodules\wordpress\wordpress_comments.php:35
actionlogin_formmodules\wordpress\wordpress_login.php:3
filterwp_authenticate_usermodules\wordpress\wordpress_login.php:20
filterum_submit_form_errors_hook_loginmodules\wordpress\wordpress_login.php:62
actionregister_formmodules\wordpress\wordpress_register.php:3
actionregister_postmodules\wordpress\wordpress_register.php:20
actionlostpassword_formmodules\wordpress\wordpress_reset_password.php:3
filterlostpassword_postmodules\wordpress\wordpress_reset_password.php:20
actionawsm_application_form_field_initmodules\wp-job-openings\wp-job-openings.php:7
filterawsm_application_form_is_recaptcha_visiblemodules\wp-job-openings\wp-job-openings.php:26
actionawsm_job_application_submittingmodules\wp-job-openings\wp-job-openings.php:37
actionwpforms_wp_footer_endmodules\wpforms\wpforms.php:3
filterwpforms_display_submit_beforemodules\wpforms\wpforms.php:158
actionwpforms_processmodules\wpforms\wpforms.php:177
actionwpum_before_submit_button_login_formmodules\wpum\wpum_login.php:3
actionwpum_before_submit_button_two_factor_login_formmodules\wpum\wpum_login.php:4
actionwpum_before_submit_button_password_recovery_formmodules\wpum\wpum_password-recovery.php:3
actionwpum_before_submit_button_registration_formmodules\wpum\wpum_registration.php:3
filtersubmit_wpum_form_validate_fieldsmodules\wpum\wpum_validate.php:6
filterscript_loader_tagpublic\widgets.php:116
Maintenance & Trust

Friendly Captcha for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedFeb 3, 2026
PHP min version7.3
Downloads264K

Community Trust

Rating82/100
Number of ratings17
Active installs9K
Alternatives

Friendly Captcha for WordPress Alternatives

SimpleForm reCAPTCHA

SimpleForm reCAPTCHA

simpleform-recaptcha

A
92

Protect your contact form from spam with Google reCAPTCHA before submission.

10 No CVEs
Spam protection, Honeypot, Anti-Spam by CleanTalk

Spam protection, Honeypot, Anti-Spam by CleanTalk

cleantalk-spam-protect

B
76

Blocks spam comments, fake users, contact form spam and more. No impact on SEO. Privacy focused. CAPTCHA free, premium Antispam plugin.

200K 13 CVEs
ReCaptcha v2 for Contact Form 7

ReCaptcha v2 for Contact Form 7

wpcf7-recaptcha

A
100

Adds reCaptcha v2 from Contact Form 7 5.0.5 that was dropped on Contact Form 7 5.1

200K No CVEs
CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

advanced-nocaptcha-recaptcha

A
99

Use CAPTCHA to stop spam and allow customers & users to interact with your website easily. Block fake accounts and orders. Avoid false positives.

100K 1 CVE
Contact Form 7 Captcha

Contact Form 7 Captcha

contact-form-7-simple-recaptcha

A
99

Protect your Contact Form 7 forms with Google reCAPTCHA V2, Google reCAPTCHA V3, hCAPTCHA, or Cloudflare Turnstile.

100K 2 CVEs
Developer Profile

Friendly Captcha for WordPress Developer Profile

Friendly Captcha

1 plugin · 9K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Friendly Captcha for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/friendly-captcha/assets/js/friendly-captcha-widget.js/wp-content/plugins/friendly-captcha/assets/css/friendly-captcha-widget.css
Script Paths
/wp-content/plugins/friendly-captcha/modules/contact-form-7/script.js/wp-content/plugins/friendly-captcha/assets/js/friendly-captcha-widget.js/wp-content/plugins/friendly-captcha/assets/js/friendly-captcha-widget-fallback.js
Version Parameters
friendly-captcha/style.css?ver=friendly-captcha/script.js?ver=friendly-captcha-widget.js?ver=friendly-captcha-widget-fallback.js?ver=

HTML / DOM Fingerprints

CSS Classes
frc-captcha
Data Attributes
data-sitekey
JS Globals
FriendlyCaptcha
Shortcode Output
[friendlycaptcha]
FAQ

Frequently Asked Questions about Friendly Captcha for WordPress