You might want to include the math.js security enhancements described here: http://mathjs.org/docs/expressions/security.html

It would be ironic if hacked wordpress blogs started serving capchas with the equivalent of “Prove your humanity: 1 + pwnFn()”