Recaptcha – wp Security & Risk Analysis
wordpress.org/plugins/recaptcha-wpProtect your WordPress site from spam machines by using google recaptcha. Note the setting is under Settings -> Discussion menu.
Is Recaptcha – wp Safe to Use in 2026?
Use With Caution
Score 63/100Recaptcha – wp has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.
The recaptcha-wp plugin, in version 0.2.6, exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by avoiding dangerous functions, using prepared statements for all SQL queries, and having a zero-attack surface in terms of AJAX, REST API, shortcodes, and cron events. There are also no external HTTP requests, reducing potential network-level risks.
However, significant concerns arise from the lack of output escaping for all identified outputs. This indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, where malicious scripts could be injected and executed within the user's browser. The presence of unsanitized paths in taint analysis, even without critical or high severity, is also a worry, suggesting potential for path traversal or other file system-related issues.
Furthermore, the vulnerability history reveals a past medium-severity XSS vulnerability that is currently unpatched. This pattern of past vulnerabilities, particularly XSS, coupled with the current lack of output escaping, suggests a recurring issue with secure output handling within the plugin. While the plugin has strengths in its minimal attack surface and database security, the unaddressed XSS risk and the potential for unsanitized path flows necessitate caution.
Key Concerns
- Unpatched CVE (medium severity XSS)
- 0% output escaping
- Unsanitized paths in taint flows
- No nonce checks
- No capability checks
Recaptcha – wp Security Vulnerabilities
CVEs by Year
Severity Breakdown
1 total CVE
Recaptcha – wp <= 0.2.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Recaptcha – wp Release Timeline
Recaptcha – wp Code Analysis
Output Escaping
Data Flow Analysis
Recaptcha – wp Attack Surface
WordPress Hooks 7
Maintenance & Trust
Recaptcha – wp Maintenance & Trust
Maintenance Signals
Community Trust
Recaptcha – wp Alternatives
Captcha Code
captcha-code-authentication
GDPR compatible captcha anti-spam protection for login form, comments form, registration form & lost password form. Eliminate spam with captcha.
reCAPTCHA in WP comments form
recaptcha-in-wp-comments-form
reCAPTCHA in WP comments form is an ANTISPAM tool that adds a Google reCAPTCHA to the comments form and protects your site from the spam robots threat …
TomS reCAPTCHA
toms-recaptcha
Integrated Google ReCaptcha for WordPress.Protect the login, register, lostpassword and comment forms. Support Woocommerce, Ultimate Member and more p …
Hercules Recaptcha
hercules-recaptcha
Hercules Recaptcha adds a Recaptcha to the comment form for non-logged in users. It uses the latest Recaptcha API.
Comments Form Captcha
captcha-for-comments-form
This is a very basic plugin but work efficiently. Any suggestions are welcomed and I assure users that I will make
Recaptcha – wp Developer Profile
1 plugin · 40 total installs
How We Detect Recaptcha – wp
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/recaptcha-wp/recaptcha-wp.phphttps://www.google.com/recaptcha/api.js?onload=onloadCallback&render=explicitHTML / DOM Fingerprints
g-recaptcha<!--
if( get_option( 'wp_recaptcha_register' )){ add_action( 'register_form', 'wp_recaptcha_register_form' ); }+1 moredata-sitekeyonloadCallbackgrecaptcha