Like everyone, we are experiencing spam issues on our WordPress site. We get a significant amount of traffic every month and we've run into a weird issue. We are using the Really Simple Captcha plugin with Contact Form 7 and it works great for the most part (it cut down on almost all spam) except there are a handful of cases every day that still get through. The form we have it on is a flyout contact form that shows up when you hover over a link in the header. It's basically on every page on the site.
In the e-mail we receive from the submission, we have the URL that the message is coming from printed out at the bottom. The one thing that all of the successful spam messages have in common is the "?action=register" is appended to the URLs they are sending from. If I go to the link that it's being sent from and append that on the end of the URL, the form and CAPTCHA still work (i.e. if I type the CAPTCHA wrong it blocks me out). So that's weird.
I know that "?action=register" is usually appended to wp-login.php for users to register on the site. I also know that there is a plugin out there (https://wordpress.org/plugins/custom-registration-link/) that will fix it to a degree but the plugin is very outdated and it's also just to change the registration link (not necessarily to prevent spam).
We have the registration shut down on our site since we manually enter users if we need to so I know of a couple patches I can use to solve this (redirect people away when $_GET['action'] is set for example), but it doesn't answer why this would be happening. How would there be any vulnerability with just a GET variable?