Replies: 0
I work with a hosting company, and one of our customers is receiving large amounts of spam through VFB despite having a reCAPTCHA v2 checkbox on the form.
After some debugging, we found this is happening because the spammer’s bot is not sending the “_vfb_recaptcha_enabled=1” field as part of the form POST parameters. When that parameter is missing, the VFB recaptcha_check() code assumes the form has no reCAPTCHA protection enabled and completely skips the reCAPTCHA check:
public function recaptcha_check() {
...
// If reCAPTCHA protection is not enabled, don't proceed
if ( !isset( $_POST['_vfb_recaptcha_enabled'] ) )
return true;This allows spammers to easily bypass reCAPTCHA protection on VFB forms.
To protect against this, the VFB reCAPTCHA code should probably notice on submission that a form has reCAPTCHA projection, but that the “_vfb_recaptcha_enabled” parameter is missing. This is a sign of a bot that is manipulating the input to bypass reCAPTCHA.