ReCAPTCHA can be bypassed

  • Resolved geektome

    (@geektome)


    5 years, 11 months ago

    We have been getting “spam” submissions to our Newsletter Signup. I tested by using Postman and simply removing the “g-recaptcha-response” field from the post. You would expect that if reCAPTCHA is setup in the plugin that removing that field completely would cause an error, however it does not. Instead we get a “success” response. Leaving the field in and making it blank or putting an invalid code works as expected and we get “Failed reCAPTCHA check”. However, if I can simply remove the “g-recaptcha-response” field all together and it still works is a serious bug, that means a bot can post to /wp-admin/admin-ajax.php using action=ctct_process_form and bypass the reCAPTCHA, which is what it appears is happening to us.

Viewing 16 replies (of 16 total)
Viewing 16 replies (of 16 total)
  • The topic ‘ReCAPTCHA can be bypassed’ is closed to new replies.