Here is a patch for subscribe.php (4.0.3.2) to address the captcha issue from this post and another issue that allows bypassing double-opt-in by setting silent=true:
https://pastebin.com/dT1NszTt
this change requires verifying secret api key in the subform=no case and restricts opt_in bypass to this subscribe api usage (since captcha is not good enough to stop all bots)
this change requires verifying secret api key in the subform=no case and restricts opt_in bypass to this subscribe api usage (since captcha is not good enough to stop all bots)