Beju

skullbit
it’s not too hard to replace file_get_contents with fopen,fread,fclose, isn’t it?
about $_SESSION var, you are right. I’m not going to prove You anything, I can only explain that, if I understand correctly, You were trying to modify the main $_SESSION variable (in wp-login.php) in a script which was called as an image! I don’t think it’ll work, since that “image” starts new session, and when it finishes execution, the session is destroyed and so are its session variables.
I can prove You something else: try to var_dump($_SESSION); right before $key=substr($_SESSION['key'],0,5); in register-plus.php.
Mine shows NULL. But I may be wrong. Maybe it somehow bases on WP or server configuration…? I’m not sure, I’ve installed wordpress yesterday;)

I’ll stick with my version for some time – it’s ugly, but it works;)

The image bug is quite simple to solve; I think that modifying $_SESSION variable of main script with another one that is just being launched by <img src=”” /> will not work… Just think about it, one link to an image and one could gain access to your whole $_SESSION.
I’ve made a temporary workaround by replacing:
$_SESSION['key'] = $ResultStr;// carry the data through session
with

$plik = fopen('captcha.md5','wb');
flock($plik, LOCK_EX);
fputs($plik, md5($ResultStr));
flock($plik, LOCK_UN);
fclose($plik);

in file captcha.php, and

$key=substr($_SESSION['key'],0,5);
$number = $_POST['captcha'];

with

$key=trim(file_get_contents(trailingslashit(get_option('siteurl')) . 'wp-content/plugins/' . basename(dirname(__FILE__)) .'/captcha.md5'));
$number = md5($_POST['captcha']);

in file register-plus.php (both in register-plus home directory).