Does Kcaptcha have any unpatched vulnerabilities?

No. All known vulnerabilities in Kcaptcha have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Kcaptcha compatible with WordPress 4.6.30?

According to WordPress.org data, Kcaptcha 1.0.1 has been tested up to WordPress 4.6.30. Check the plugin's changelog for the latest compatibility information.

How often is Kcaptcha updated?

Kcaptcha was last updated on Sep 14, 2016. Frequent updates are generally a positive security signal.

What is Kcaptcha's security score?

Kcaptcha has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Kcaptcha Security & Risk Analysis

wordpress.org/plugins/kcaptcha

Kcaptcha plugin is the perfect security plugin for your wordpress website forms that protects your website from spam bots.

30 active installs v1.0.1 PHP + WP 3.1+ Updated Sep 14, 2016

anti-spamcaptcha-plugincomment-captchaform-captchalogin-captcharegistration-captcha

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Kcaptcha Safe to Use in 2026?

Generally Safe

Score 85/100

Kcaptcha has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago

Risk Assessment

The kcaptcha plugin v1.0.1 exhibits a generally good security posture based on the provided static analysis. The plugin has a very small attack surface, with only one shortcode and no unprotected entry points identified. The absence of dangerous functions, file operations, and external HTTP requests is also a positive indicator. Furthermore, the plugin has no recorded vulnerability history, suggesting a track record of secure development.

However, there are areas for improvement. The analysis shows that only 25% of SQL queries use prepared statements, leaving a significant portion vulnerable to SQL injection if user input is involved. Similarly, only 25% of outputs are properly escaped, creating potential for cross-site scripting (XSS) vulnerabilities. The complete absence of nonce and capability checks on its single entry point (the shortcode) is a significant concern, as it means any authenticated user could potentially trigger its functionality without proper authorization or security validation. While taint analysis found no issues, this might be due to limited testing scope or the absence of certain types of user input being processed.

In conclusion, while kcaptcha benefits from a small attack surface and a clean vulnerability history, the identified code quality issues related to SQL preparation and output escaping, coupled with the complete lack of nonce and capability checks on its shortcode, present notable security risks that should be addressed.

Key Concerns

SQL queries not using prepared statements (75%)
Output escaping not properly implemented (75%)
Missing nonce checks on entry points
Missing capability checks on entry points

Vulnerabilities

None known

Kcaptcha Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Kcaptcha Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

1 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

25% prepared4 total queries

Output Escaping

25% escaped4 total outputs

Attack Surface

Kcaptcha Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[addKcaptcha] kcaptcha.php:347

WordPress Hooks 11

actionadmin_menukcaptcha.php:58

actionlogin_formkcaptcha.php:156

actionauthenticatekcaptcha.php:157

actionregister_formkcaptcha.php:195

filterregistration_errorskcaptcha.php:197

actioncomment_form_after_fieldskcaptcha.php:232

actioncomment_form_logged_in_afterkcaptcha.php:233

actioncomment_formkcaptcha.php:236

filterpreprocess_commentkcaptcha.php:237

actionlostpassword_formkcaptcha.php:303

actionlostpassword_postkcaptcha.php:304

Maintenance & Trust

Kcaptcha Maintenance & Trust

Maintenance Signals

WordPress version tested4.6.30

Last updatedSep 14, 2016

PHP min version

Downloads3K

Community Trust

Rating100/100

Number of ratings1

Active installs30

Alternatives

Kcaptcha Alternatives

Captcha Code

captcha-code-authentication

GDPR compatible captcha anti-spam protection for login form, comments form, registration form & lost password form. Eliminate spam with captcha.

100K 2 CVEs

Akismet Anti-spam: Spam Protection

akismet

The best anti-spam protection to block spam comments and spam in a contact form. The most trusted antispam solution for WordPress and WooCommerce.

6.0M 2 CVEs

Antispam Bee

antispam-bee

100

Sophisticated antispam plugin for effective daily comment and trackback spam-fighting. Built with data protection and privacy in mind.

700K 1 CVE

CF7 Apps – Honeypot, Database, Redirection, Webhook, and Addons for Contact Form 7

contact-form-7-honeypot

100

Addons for Contact Form 7 — Honeypot, Database Entries, Redirection, Spam Protection, Webhooks, ACF integration for Contact Form 7, and more.

300K No CVEs

WP Armour – Honeypot Anti Spam

honeypot

Fastest growing Anti Spam plugin. No API calls, subscriptions, captcha or puzzle. Full GDPR complaint. For comments, contact form, login, registration

300K 2 CVEs

Developer Profile

Kcaptcha Developer Profile

Ksolves - Emerging Ahead Always

1 plugin · 30 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Kcaptcha

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/kcaptcha/lib/createcaptcha.php

HTML / DOM Fingerprints

HTML Comments

Data Attributes

id="captcha_code"id='captchaimg'

JS Globals

function refreshCaptcha()var img = document.images['captchaimg']

Shortcode Output

<img src="id='captchaimg'" data-src="" name="captcha_code"

FAQ