Login No Captcha reCAPTCHA Security & Risk Analysis

wordpress.org/plugins/login-recaptcha

Adds a Google No Captcha ReCaptcha checkbox to your Wordpress and Woocommerce login, forgot password, and user registration pages.

60K active installs v1.7.3 PHP + WP 4.6+ Updated Feb 27, 2024
googleloginnocaptcharecaptchasecurity
81
B · Generally Safe
CVEs total2
Unpatched0
Last CVEMay 27, 2026
Safety Verdict

Is Login No Captcha reCAPTCHA Safe to Use in 2026?

Mostly Safe

Score 81/100

Login No Captcha reCAPTCHA is generally safe to use though it hasn't been updated recently. 2 past CVEs were resolved.

2 known CVEsLast CVE: May 27, 2026Updated 2yr ago
Risk Assessment

The login-recaptcha plugin version 1.7.3 exhibits a mixed security posture. On the positive side, the absence of AJAX handlers, REST API routes, shortcodes, and cron events with unprotected entry points is a significant strength, minimizing the direct attack surface. Furthermore, all identified SQL queries utilize prepared statements, which is excellent practice for preventing SQL injection vulnerabilities.

However, several concerning findings emerge from the static analysis. The most critical is that 100% of output is not properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis revealing two flows with unsanitized paths, although not classified as critical or high severity, warrants attention as these could potentially lead to unexpected behavior or further exploitation if not handled correctly. The plugin also makes external HTTP requests, which, while not inherently a vulnerability, can be a vector for certain types of attacks if the target endpoints are compromised or if data is transmitted insecurely.

The vulnerability history shows one past medium-severity CVE related to improper authorization, which was addressed. The fact that there are no currently unpatched vulnerabilities is positive, but the past occurrence of an authorization issue alongside the current lack of capability checks in the code analysis suggests that authorization mechanisms might not be consistently robust. The absence of nonce checks on any potential entry points (though none were identified as unprotected) is also a missed security control that could be relevant if new entry points were introduced or if current ones were implicitly exploitable in ways not immediately obvious from the static analysis.

In conclusion, while the plugin has a limited attack surface and uses prepared statements for SQL, the significant lack of output escaping presents a substantial risk of XSS. The past CVE and current lack of capability checks also highlight potential weaknesses in authorization handling. A thorough review and remediation of unescaped outputs are strongly recommended.

Key Concerns

  • 100% of outputs not properly escaped
  • Taint analysis found 2 unsanitized paths
  • Past medium vulnerability (Improper Authorization)
  • No nonce checks
  • No capability checks
Vulnerabilities
2 published

Login No Captcha reCAPTCHA Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2026-2374high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Login No Captcha reCAPTCHA <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting via PHP_SELF

May 27, 2026 Patched in 1.8.1 (1d)
CVE-2022-2913medium · 5.3Improper Authorization

Login No Captcha reCAPTCHA <= 1.6.11 - CAPTCHA Bypass via Whitelisted IP Address Spoofing

Aug 16, 2022 Patched in 1.7 (525d)
Version History

Login No Captcha reCAPTCHA Release Timeline

Code Analysis
Analyzed Mar 16, 2026

Login No Captcha reCAPTCHA Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
15
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
2
Bundled Libraries
0

Output Escaping

0% escaped15 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
authenticate (login-nocaptcha.php:275)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Login No Captcha reCAPTCHA Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 22
actionplugins_loadedlogin-nocaptcha.php:21
actionadmin_menulogin-nocaptcha.php:22
actionadmin_initlogin-nocaptcha.php:23
actionadmin_noticeslogin-nocaptcha.php:24
actionlogin_enqueue_scriptslogin-nocaptcha.php:31
actionadmin_enqueue_scriptslogin-nocaptcha.php:32
actionlogin_formlogin-nocaptcha.php:35
actionregister_formlogin-nocaptcha.php:36
actionsignup_extra_fieldslogin-nocaptcha.php:37
actionlostpassword_formlogin-nocaptcha.php:38
filterregistration_errorslogin-nocaptcha.php:42
actionlostpassword_postlogin-nocaptcha.php:43
filterauthenticatelogin-nocaptcha.php:44
filtershake_error_codeslogin-nocaptcha.php:45
actionplugins_loadedlogin-nocaptcha.php:46
actionwoocommerce_register_postlogin-nocaptcha.php:53
actionwoocommerce_register_formlogin-nocaptcha.php:54
actionwp_headlogin-nocaptcha.php:61
actionwoocommerce_login_formlogin-nocaptcha.php:62
actionwoocommerce_lostpassword_formlogin-nocaptcha.php:63
actionwoocommerce_register_postlogin-nocaptcha.php:64
actionwoocommerce_register_formlogin-nocaptcha.php:65
Maintenance & Trust

Login No Captcha reCAPTCHA Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8
Last updatedFeb 27, 2024
PHP min version
Downloads1.4M

Community Trust

Rating90/100
Number of ratings63
Active installs60K
Developer Profile

Login No Captcha reCAPTCHA Developer Profile

Robert Peake

4 plugins · 61K total installs

66
trust score
Avg Security Score
81/100
Avg Patch Time
263 days
View full developer profile
Detection Fingerprints

How We Detect Login No Captcha reCAPTCHA

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/login-recaptcha/css/login-recaptcha.css/wp-content/plugins/login-recaptcha/js/login-recaptcha.js
Script Paths
https://www.google.com/recaptcha/api.js
Version Parameters
/wp-content/plugins/login-recaptcha/css/login-recaptcha.css?ver=/wp-content/plugins/login-recaptcha/js/login-recaptcha.js?ver=

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Login No Captcha reCAPTCHA