Empty recaptcha not checked

We ran into a problem with a spam-bot.
As it turned out they first did a GET to our contact form.
Then without executing anything they did a POST /wp-admin/admin-ajax.php with parameters they had already predetermined. In particular they DID NOT send in recaptch_response parameter.
The code in inc/action.php looks like this:
if (!empty($zendesk_settings[‘google_captcha_secret’]) && !empty($_POST[“recaptcha_response”])) {
— check and fail here if the recaptcha_response is bad

BUT as the recaptcha_response did not exist, nothing was checked and nothing failed and the spam bot succeeded in creating Zendesk tickets.

I think that if you have set a google_captcha_secret the code should fail if recaptcha_response is not set. I made this change locally – and with that change the spambot failed and normal submits from the website works as they should.