Common CAPTCHA implementation vulnerabilities
The distorted text image may not be distorted enough and can be easily recognized by computers.
The CAPTCHA program can only generate a small set of challenges with a very limited set of possible responses, giving the automated scripts a high probability of guessing the right answer.
The CAPTCHA distorted text image IDs are not randomized and the correlation of the image ID and the correct response can be easily inferred.
The CAPTCHA program may allow for multiple attempts at the same question (same distorted text image), giving the automated script a chance at dictionary-attacking CAPTCHA itself. When a human user makes a mistake at responding to a CAPTCHA challenge, the CAPTCHA program should generate a different challenge.
The CAPTCHA program does not keep track of the CAPTCHA image IDs sent to the user, and allows the user to submit the response of an image that has been previously solved.
If the CPATCHA images are identified by session IDs, after the user has submitted the protected input data, the session should be destroyed. Otherwise, once the CAPTCHA image has been correctly solved, the attacker can re-use the same session to submit the protected input data again, negating the purpose of CAPTCHA protection.