Spammers can easily bypass VFB reCAPTCHA (and are doing so)

I work with a hosting company, and one of our customers is receiving large amounts of spam through VFB despite having a reCAPTCHA v2 checkbox on the form.

After some debugging, we found this is happening because the spammer’s bot is not sending the “_vfb_recaptcha_enabled=1” field as part of the form POST parameters. When that parameter is missing, the VFB recaptcha_check() code assumes the form has no reCAPTCHA protection enabled and completely skips the reCAPTCHA check:

public function recaptcha_check() {
...
  // If reCAPTCHA protection is not enabled, don't proceed
  if ( !isset( $_POST['_vfb_recaptcha_enabled'] ) )
      return true;

This allows spammers to easily bypass reCAPTCHA protection on VFB forms.

To protect against this, the VFB reCAPTCHA code should probably notice on submission that a form has reCAPTCHA projection, but that the “_vfb_recaptcha_enabled” parameter is missing. This is a sign of a bot that is manipulating the input to bypass reCAPTCHA.