At first glance, it looks as if your only problem is that the Captcha field is only being validated by spry validation (client side validation) with the only criterion being that it is 'required'. This means that as long as something is entered, the form will be allowed to send.You will need to add server side validation in order that whatever is input into the field is compared to the generated Captcha code, and only if it is the same will it be allowed to send.
This doesn't appear to have been added at the time you made the form, - i don't know why not - but you can add it now. You can either:
• Re-enter the CSSFormBuilder's UI and have it add a new Captcha field (might be easier to remove the existing one and add new one)
• Add server-side validation to the Captcha input field (double-click 'WA Server Validations' in the Server Behaviors Panel, and add Validation Type 'Like Entry' and for the Server Variable (lightening bolt) select the captcha field, or:
• Add the following code to the end of the server validations block of code at (about) line 19:
$WAFV_Errors .= WAValidateLE((strtolower(isset($_POST["fieldset_group_Security_code"])?$_POST["fieldset_group_Security_code"]:"")) . "",((isset($_SESSION["captcha_fieldset_group_Security_code"]))?strtolower($_SESSION["captcha_fieldset_group_Security_code"]):"") . "",true,9);
This is the first thing to try, there may be more. Add the server side validation, upload the page and post back with the results.