WP-Safety

Ultimate WP Captcha Security & Risk Analysis

wordpress.org/plugins/ultimate-wp-captcha

Enables Google reCAPTCHA and hCaptcha for the WordPress website forms.

300 active installs v1.1.9 PHP 5.7+ WP 4.5+ Updated Feb 2, 2026
hcaptcharecaptchawoocommerce-recaptchawp-hcaptchawp-recaptcha
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Ultimate WP Captcha Safe to Use in 2026?

Generally Safe

Score 100/100

Ultimate WP Captcha has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "ultimate-wp-captcha" v1.1.9 plugin exhibits a generally strong security posture based on the provided static analysis. The absence of any known CVEs and a clean vulnerability history are positive indicators, suggesting the developers have a good track record of addressing security issues. The code also demonstrates good practices such as using prepared statements for all SQL queries and a high percentage of properly escaped output. However, there are potential areas for concern. The presence of two flows with unsanitized paths, even though they are not classified as critical or high severity, warrants attention. This could indicate potential weaknesses in how user-supplied data is handled, which might be exploitable under specific circumstances. Additionally, the plugin makes two external HTTP requests, which introduces a dependency on external services that could be a vector for attacks if those services are compromised or manipulated. The lack of capability checks on any entry points also means that even if an attacker were to find a way to trigger these unsanitized paths, they might not face authorization barriers.

Key Concerns

  • Flows with unsanitized paths found
  • External HTTP requests made
  • No capability checks on entry points
Vulnerabilities
None known

Ultimate WP Captcha Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Ultimate WP Captcha Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
4
33 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
2
Bundled Libraries
0

Output Escaping

89% escaped37 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
uwc_hcaptcha_verify_response (includes\class-uwc-captcha-form-action-handler.php:210)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Ultimate WP Captcha Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 28
filterwp_authenticate_userincludes\class-uwc-captcha-form-action-handler.php:40
filterregistration_errorsincludes\class-uwc-captcha-form-action-handler.php:41
filterlostpassword_postincludes\class-uwc-captcha-form-action-handler.php:42
filterwoocommerce_registration_errorsincludes\class-uwc-captcha-form-action-handler.php:43
filterlearndash_alert_messageincludes\class-uwc-captcha-form-action-handler.php:44
filterlearndash_safe_redirect_locationincludes\class-uwc-captcha-form-action-handler.php:45
filterlearndash-registration-errorsincludes\class-uwc-captcha-form-action-handler.php:46
actionwoocommerce_after_checkout_validationincludes\class-uwc-captcha-form-action-handler.php:47
filterpreprocess_commentincludes\class-uwc-captcha-form-action-handler.php:48
actioninitincludes\class-uwc-captcha-form-render.php:20
actionlogin_formincludes\class-uwc-captcha-form-render.php:30
filterlogin_form_middleincludes\class-uwc-captcha-form-render.php:33
actionregister_formincludes\class-uwc-captcha-form-render.php:36
actionlostpassword_formincludes\class-uwc-captcha-form-render.php:39
actioncomment_form_after_fieldsincludes\class-uwc-captcha-form-render.php:42
actioncomment_form_logged_in_afterincludes\class-uwc-captcha-form-render.php:43
actionwoocommerce_login_formincludes\class-uwc-captcha-form-render.php:46
actionwoocommerce_register_formincludes\class-uwc-captcha-form-render.php:49
actionwoocommerce_lostpassword_formincludes\class-uwc-captcha-form-render.php:52
actionwoocommerce_review_order_before_submitincludes\class-uwc-captcha-form-render.php:55
actionwp_enqueue_scriptsincludes\class-uwc-captcha-form-render.php:57
actionlogin_enqueue_scriptsincludes\class-uwc-captcha-form-render.php:58
actionadmin_initincludes\class-uwc-setting-page.php:21
actionadmin_menuincludes\class-uwc-setting-page.php:22
actionadmin_footerincludes\class-uwc-setting-page.php:23
actionadmin_noticesincludes\class-uwc-setting-page.php:103
actionplugins_loadedultimate-wp-captcha.php:29
actionadmin_initultimate-wp-captcha.php:65
Maintenance & Trust

Ultimate WP Captcha Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 2, 2026
PHP min version5.7
Downloads11K

Community Trust

Rating100/100
Number of ratings2
Active installs300
Alternatives

Ultimate WP Captcha Alternatives

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress

advanced-nocaptcha-recaptcha

A
99

Use CAPTCHA to stop spam and allow customers & users to interact with your website easily. Block fake accounts and orders. Avoid false positives.

100K 1 CVE
Contact Form 7 Captcha

Contact Form 7 Captcha

contact-form-7-simple-recaptcha

A
99

Protect your Contact Form 7 forms with Google reCAPTCHA V2, Google reCAPTCHA V3, hCAPTCHA, or Cloudflare Turnstile.

100K 2 CVEs
G-Forms hCaptcha

G-Forms hCaptcha

gf-hcaptcha

A
85

A new way to monetize your site traffic with the hCaptcha addon for Gravity Forms.

3K No CVEs
reCaptcha for WooCommerce

reCaptcha for WooCommerce

advanced-google-recaptcha-for-woocommerce

A
100

Enable Google reCaptcha for WooCommerce Checkout, Login, Registration, and Reset Password Forms to protect your store against spam.

300 No CVEs
Mailster hCaptcha

Mailster hCaptcha

mailster-hcaptcha

A
92

Adds a hCaptcha to your Mailster subscription forms.

100 No CVEs
Developer Profile

Ultimate WP Captcha Developer Profile

Zeeshan Khan

1 plugin · 300 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Ultimate WP Captcha

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ultimate-wp-captcha/assets/js/admin.js/wp-content/plugins/ultimate-wp-captcha/assets/js/frontend.js/wp-content/plugins/ultimate-wp-captcha/assets/js/grecaptcha.js/wp-content/plugins/ultimate-wp-captcha/assets/css/backend.css/wp-content/plugins/ultimate-wp-captcha/assets/css/frontend.css
Script Paths
/wp-content/plugins/ultimate-wp-captcha/assets/js/admin.js/wp-content/plugins/ultimate-wp-captcha/assets/js/frontend.js/wp-content/plugins/ultimate-wp-captcha/assets/js/grecaptcha.js
Version Parameters
ultimate-wp-captcha/assets/js/admin.js?ver=ultimate-wp-captcha/assets/js/frontend.js?ver=ultimate-wp-captcha/assets/js/grecaptcha.js?ver=ultimate-wp-captcha/assets/css/backend.css?ver=ultimate-wp-captcha/assets/css/frontend.css?ver=

HTML / DOM Fingerprints

CSS Classes
uwc-form-captcha
HTML Comments
<!-- UWC Captcha Code -->
Data Attributes
data-sitekeydata-callback
JS Globals
var uwcCaptchavar $uwcvar captcha_methodvar uwc_recaptcha_sitekeyvar uwc_hcaptcha_sitekeyvar uwc_captcha_theme
FAQ

Frequently Asked Questions about Ultimate WP Captcha