WP-Safety

reCaptcha by BestWebSoft Security & Risk Analysis

wordpress.org/plugins/google-captcha

Protect WordPress website forms from spam entries with Google reCAPTCHA.

100K active installs v1.86 PHP + WP 6.5+ Updated Feb 25, 2026
anti-spam-securityantispamcaptchacaptharecaptcha
98
A · Safe
CVEs total3
Unpatched0
Last CVEJan 3, 2025
Plugin page Download
Safety Verdict

Is reCaptcha by BestWebSoft Safe to Use in 2026?

Generally Safe

Score 98/100

reCaptcha by BestWebSoft has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jan 3, 2025Updated 1mo ago
Risk Assessment

The "google-captcha" plugin, version 1.86, presents a mixed security posture. On the positive side, the static analysis shows a strong adherence to secure coding practices with a high percentage of properly escaped outputs, robust nonce and capability checks, and no detected dangerous functions. The attack surface, while present with AJAX handlers and shortcodes, appears to be well-protected, with no directly accessible unprotected entry points identified.

However, there are areas for concern. The presence of 23 SQL queries with 57% not using prepared statements is a notable risk, potentially leading to SQL injection vulnerabilities if not handled meticulously. While the taint analysis shows no critical or high severity flows, one flow with an unsanitized path indicates a potential weakness that could be exploited if an attacker can control the input. The plugin's history of 3 medium severity vulnerabilities, specifically around Cross-site Scripting and Guessable CAPTCHA, suggests recurring issues in input sanitization and CAPTCHA implementation, despite the current static analysis not flagging explicit XSS or unpatched issues.

In conclusion, the plugin demonstrates good practices in areas like output escaping and authentication checks. Nevertheless, the SQL query practices and the past vulnerability history, particularly concerning input handling and CAPTCHA logic, warrant careful consideration. While the current version shows no unpatched CVEs and a seemingly clean taint analysis, the potential for SQL injection and the historical trends suggest that ongoing vigilance and potentially further code review regarding SQL query handling are advisable.

Key Concerns

  • SQL queries not using prepared statements
  • Past medium severity vulnerabilities (3 total)
  • Flows with unsanitized paths
Vulnerabilities
3

reCaptcha by BestWebSoft Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
1 CVE in 2017
2017
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-24628medium · 5.3Guessable CAPTCHA

reCaptcha by BestWebSoft <= 1.78 - CAPTCHA Bypass

Jan 3, 2025 Patched in 1.79 (49d)
WF-169f2767-da20-4199-9997-438a62f6aee4-google-captchamedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

reCaptcha by BestWebSoft < 1.28 - Reflected Cross-Site Scripting

Apr 12, 2017 Patched in 1.28 (2477d)
CVE-2015-0890medium · 5.3Guessable CAPTCHA

reCaptcha by BestWebSoft <= 1.12 - CAPTCHA Bypass

Mar 3, 2015 Patched in 1.13 (3248d)
Code Analysis
Analyzed Mar 16, 2026

reCaptcha by BestWebSoft Code Analysis

Dangerous Functions
0
Raw SQL Queries
13
10 prepared
Unescaped Output
34
621 escaped
Nonce Checks
27
Capability Checks
4
File Operations
2
External Requests
7
Bundled Libraries
0

SQL Query Safety

43% prepared23 total queries

Output Escaping

95% escaped655 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

12 flows1 with unsanitized paths
gglcptch_get_response (google-captcha.php:1002)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

reCaptcha by BestWebSoft Attack Surface

Entry Points5
Unprotected0

AJAX Handlers 4

authwp_ajax_bws_submit_request_feature_actionbws_menu\class-bws-settings.php:1475
authwp_ajax_bws_submit_uninstall_reason_actionbws_menu\deactivation-form.php:433
authwp_ajax_gglcptch-test-keysgoogle-captcha.php:1592
authwp_ajax_gglcptch_test_keys_verificationgoogle-captcha.php:1593

Shortcodes 1

[bws_google_captcha] google-captcha.php:1579
WordPress Hooks 61
filterload_textdomain_mofilebws_menu\bws_functions.php:43
filtermce_external_pluginsbws_menu\bws_functions.php:1146
filtermce_buttonsbws_menu\bws_functions.php:1147
actionadmin_initbws_menu\bws_functions.php:1433
actionadmin_enqueue_scriptsbws_menu\bws_functions.php:1434
actionadmin_headbws_menu\bws_functions.php:1435
actionadmin_footerbws_menu\bws_functions.php:1436
actionadmin_noticesbws_menu\bws_functions.php:1438
actionwp_enqueue_scriptsbws_menu\bws_functions.php:1440
filtersite_urlgoogle-captcha.php:143
actionlogin_initgoogle-captcha.php:144
actionlogin_formgoogle-captcha.php:145
filterlostpassword_urlgoogle-captcha.php:147
filterlostpassword_redirectgoogle-captcha.php:148
actionwp_footergoogle-captcha.php:389
actionlogin_footergoogle-captcha.php:395
actionwp_footergoogle-captcha.php:919
actionlogin_footergoogle-captcha.php:925
actionadmin_menugoogle-captcha.php:1564
actioninitgoogle-captcha.php:1566
actionadmin_initgoogle-captcha.php:1567
actionplugins_loadedgoogle-captcha.php:1569
actionadmin_enqueue_scriptsgoogle-captcha.php:1571
actionlogin_enqueue_scriptsgoogle-captcha.php:1572
filterscript_loader_taggoogle-captcha.php:1573
actionadmin_footergoogle-captcha.php:1574
filterpgntn_callbackgoogle-captcha.php:1575
filterlmtttmpts_plugin_formsgoogle-captcha.php:1577
filterwidget_textgoogle-captcha.php:1580
filtergglcptch_display_recaptchagoogle-captcha.php:1582
filtergglcptch_verify_recaptchagoogle-captcha.php:1583
filtergglcptch_limit_attempts_checkgoogle-captcha.php:1585
filterplugin_action_linksgoogle-captcha.php:1587
filterplugin_row_metagoogle-captcha.php:1588
actionadmin_noticesgoogle-captcha.php:1590
filterfrm_available_fieldsincludes\captcha-for-formidable.php:170
filterfrm_before_field_createdincludes\captcha-for-formidable.php:172
actionfrm_display_added_fieldsincludes\captcha-for-formidable.php:173
actionfrm_form_fieldsincludes\captcha-for-formidable.php:174
filterfrm_validate_field_entryincludes\captcha-for-formidable.php:175
actionlogin_formincludes\forms.php:214
actionauthenticateincludes\forms.php:215
actionregister_formincludes\forms.php:220
actionregistration_errorsincludes\forms.php:221
actionsignup_extra_fieldsincludes\forms.php:223
actionsignup_blogformincludes\forms.php:224
filterwpmu_validate_user_signupincludes\forms.php:225
actionlostpassword_formincludes\forms.php:230
actionallow_password_resetincludes\forms.php:231
filterthe_password_formincludes\forms.php:237
filterpost_password_expiresincludes\forms.php:238
filterpost_password_requiredincludes\forms.php:239
actioncomment_form_after_fieldsincludes\forms.php:244
actioncomment_form_logged_in_afterincludes\forms.php:245
actionpre_comment_on_postincludes\forms.php:246
filtercntctfrm_display_captchaincludes\forms.php:251
filtercntctfrm_check_formincludes\forms.php:252
filtertstmnls_display_recaptchaincludes\forms.php:257
filterlgnrgstrfrm_add_fieldincludes\forms.php:262
filterlgnrgstrfrm_check_fieldincludes\forms.php:263
actionvalidate_password_resetincludes\forms.php:267
Maintenance & Trust

reCaptcha by BestWebSoft Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 25, 2026
PHP min version
Downloads6.6M

Community Trust

Rating78/100
Number of ratings390
Active installs100K
Alternatives

reCaptcha by BestWebSoft Alternatives

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

advanced-nocaptcha-recaptcha

A
99

Use CAPTCHA to stop spam and allow customers & users to interact with your website easily. Block fake accounts and orders. Avoid false positives.

100K 1 CVE
Friendly Captcha for WordPress

Friendly Captcha for WordPress

friendly-captcha

A
100

Friendly Captcha is a privacy-first anti-bot solution that protects WordPress website forms from spam and abuse.

9K No CVEs
reCAPTCHA in WP comments form

reCAPTCHA in WP comments form

recaptcha-in-wp-comments-form

A
85

reCAPTCHA in WP comments form is an ANTISPAM tool that adds a Google reCAPTCHA to the comments form and protects your site from the spam robots threat &hellip;

9K No CVEs
Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant

Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant

gdpr-compliant-recaptcha-for-all-forms

A
99

Anti-spam - CAPTCHA that protects all forms against spam and brute-force. Invisible and GDPR-compliant.

4K 1 CVE
Power Captcha reCAPTCHA

Power Captcha reCAPTCHA

power-captcha-recaptcha

A
92

Protect WordPress/WooCommerce/Contact Form 7 forms from spam, brute-force attacks, fake comments, accounts, or registrations with Google reCAPTCHA.

1K No CVEs
Developer Profile

reCaptcha by BestWebSoft Developer Profile

bestwebsoft

17 plugins · 207K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
1729 days
View full developer profile
Detection Fingerprints

How We Detect reCaptcha by BestWebSoft

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/google-captcha/css/style.css/wp-content/plugins/google-captcha/js/script.js/wp-content/plugins/google-captcha/js/recaptcha-v3.js/wp-content/plugins/google-captcha/js/admin-script.js/wp-content/plugins/google-captcha/css/admin-style.css
Script Paths
https://www.google.com/recaptcha/api.js?onload=gglcptch_onloadCallback&render=explicit
Version Parameters
google-captcha/css/style.css?ver=google-captcha/js/script.js?ver=google-captcha/js/recaptcha-v3.js?ver=google-captcha/js/admin-script.js?ver=google-captcha/css/admin-style.css?ver=

HTML / DOM Fingerprints

CSS Classes
gglcptch_captcha
HTML Comments
<!-- Start reCaptcha by BestWebSoft --><!-- End reCaptcha by BestWebSoft -->
Data Attributes
data-sitekeydata-callbackdata-badge
JS Globals
gglcptch_onloadCallbackgglcptch_form_data
FAQ

Frequently Asked Questions about reCaptcha by BestWebSoft