Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.
Is there some SQL injection possible at email authentication link ? It seems another user was talking about it or is that fixed now ?
I am not aware it was there before or not but seems to be fixed now.