Does No CAPTCHA reCAPTCHA have any unpatched vulnerabilities?

No. All known vulnerabilities in No CAPTCHA reCAPTCHA have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is No CAPTCHA reCAPTCHA compatible with WordPress 5.4.19?

According to WordPress.org data, No CAPTCHA reCAPTCHA 1.3.4 has been tested up to WordPress 5.4.19. Check the plugin's changelog for the latest compatibility information.

Is No CAPTCHA reCAPTCHA compatible with PHP 5.4+?

No CAPTCHA reCAPTCHA requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is No CAPTCHA reCAPTCHA updated?

No CAPTCHA reCAPTCHA was last updated on Apr 15, 2020. Frequent updates are generally a positive security signal.

What is No CAPTCHA reCAPTCHA's security score?

No CAPTCHA reCAPTCHA has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

No CAPTCHA reCAPTCHA Security & Risk Analysis

wordpress.org/plugins/no-captcha-recaptcha

Protect WordPress login, registration, comment and BuddyPress registration forms with Google's No CAPTCHA reCAPTCHA.

5K active installs v1.3.4 PHP 5.4+ WP 4.0+ Updated Apr 15, 2020

comment-formloginrecaptcharegistration-formsecurity

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is No CAPTCHA reCAPTCHA Safe to Use in 2026?

Generally Safe

Score 85/100

No CAPTCHA reCAPTCHA has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago

Risk Assessment

The "no-captcha-recaptcha" plugin version 1.3.4 exhibits a generally positive security posture, with no known CVEs and a robust approach to internal security mechanisms like prepared statements for SQL queries and the use of capability checks. The static analysis reveals a clean codebase with no dangerous functions, file operations, or critical/high severity taint flows, indicating good development practices in these areas. The presence of nonce checks and capability checks also suggests an effort to protect against common WordPress vulnerabilities.

However, there are a couple of areas that warrant attention. The taint analysis identified one flow with an unsanitized path, which, while not categorized as critical or high, represents a potential avenue for attack if that path is exposed to user input. Additionally, a significant portion of output (37%) is not properly escaped, which could lead to Cross-Site Scripting (XSS) vulnerabilities if the data being output is not inherently safe. The external HTTP request, while singular, should be carefully monitored for potential vulnerabilities in the remote service.

Overall, the plugin's lack of historical vulnerabilities is a strong indicator of past security consciousness. The current static analysis, despite the identified taint flow and unescaped output, does not reveal any critical security flaws. The strengths lie in its secure handling of database interactions and access control. The weaknesses, though not immediately critical, lie in potential input sanitization gaps and output escaping oversights.

Key Concerns

Unsanitized path in taint analysis
Significant unescaped output

Vulnerabilities

None known

No CAPTCHA reCAPTCHA Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

No CAPTCHA reCAPTCHA Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

15 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

63% escaped24 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

4 flows1 with unsanitized paths

captcha_verification (base-class.php:136)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

No CAPTCHA reCAPTCHA Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 23

actionplugins_loadedbase-class.php:43

actionlogin_enqueue_scriptsbase-class.php:48

actionlogin_enqueue_scriptsbase-class.php:50

filterscript_loader_tagbase-class.php:54

actionbp_initbuddypress-registration.php:15

actionbp_before_registration_submit_buttonsbuddypress-registration.php:21

actionbp_signup_validatebuddypress-registration.php:24

actionwp_enqueue_scriptsbuddypress-registration.php:36

actionwp_headcomment-form.php:16

actioncomment_form_after_fieldscomment-form.php:19

filterpreprocess_commentcomment-form.php:22

filtercomment_post_redirectcomment-form.php:25

filtercomment_notification_recipientscomment-form.php:71

filtercomment_moderation_recipientscomment-form.php:72

actionlogin_formlogin.php:11

actionwp_authenticate_userlogin.php:14

actionadmin_noticesmo-admin-notice.php:7

actionnetwork_admin_noticesmo-admin-notice.php:8

actionadmin_initmo-admin-notice.php:10

actionregister_formregistration.php:11

actionregistration_errorsregistration.php:14

actionnetwork_admin_menusettings.php:8

actionadmin_menusettings.php:10

Maintenance & Trust

No CAPTCHA reCAPTCHA Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19

Last updatedApr 15, 2020

PHP min version5.4

Downloads151K

Community Trust

Rating86/100

Number of ratings69

Active installs5K

Alternatives

No CAPTCHA reCAPTCHA Alternatives

Power Captcha reCAPTCHA

power-captcha-recaptcha

Protect WordPress/WooCommerce/Contact Form 7 forms from spam, brute-force attacks, fake comments, accounts, or registrations with Google reCAPTCHA.

1K No CVEs

Login No Captcha reCAPTCHA

Adds a Google No Captcha ReCaptcha checkbox to your Wordpress and Woocommerce login, forgot password, and user registration pages.

60K 1 CVE

Login Security Captcha

100

Secure WordPress login, registration, and comment form with Google reCAPTCHA or Cloudflare Turnstile. Prevent Brute-force attacks and more.

10K No CVEs

ReCaptcha Integration for WordPress

wp-recaptcha-integration

reCaptcha for login, signup, comment forms, Ninja Forms and woocommerce.

10K 2 CVEs

DoLogin Security

dologin

Easy Login. 2FA login. Passwordless login. Cloudflare Turnstile reCAPTCHA. GeoLocation (Continent/Country/City)/IP range to limit login attempts.

7K 4 CVEs

Developer Profile

No CAPTCHA reCAPTCHA Developer Profile

Collins Agbonghama

2 plugins · 8K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

84 days

View full developer profile

Detection Fingerprints

How We Detect No CAPTCHA reCAPTCHA

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/no-captcha-recaptcha/css/admin.css/wp-content/plugins/no-captcha-recaptcha/js/admin.js

Script Paths

/wp-content/plugins/no-captcha-recaptcha/js/admin.js/wp-content/plugins/no-captcha-recaptcha/js/login.js/wp-content/plugins/no-captcha-recaptcha/js/registration.js/wp-content/plugins/no-captcha-recaptcha/js/comment.js/wp-content/plugins/no-captcha-recaptcha/js/bp-registration.js

Version Parameters

no-captcha-recaptcha/css/admin.css?ver=no-captcha-recaptcha/js/admin.js?ver=no-captcha-recaptcha/js/login.js?ver=no-captcha-recaptcha/js/registration.js?ver=no-captcha-recaptcha/js/comment.js?ver=no-captcha-recaptcha/js/bp-registration.js?ver=

HTML / DOM Fingerprints

CSS Classes

ncr-captcha-wrapper

HTML Comments

Data Attributes

data-sitekeydata-theme

JS Globals

ncr_login_captcha_optionsncr_reg_captcha_optionsncr_comment_captcha_optionsncr_bp_captcha_options

FAQ