If you do not see a CAPTCHA image in the frontend (and all needed PHP extensions have been checked for the activation) the issue is related to an unwriteable session save path. Fix below.
MediaLibrary 3.5.x Shop uses a session variable to keep the typed review on screen if a user accidentally types the CAPTCHA wrong. So they don't loose everything they typed and can try again. Nobody wants receive complaints from their users.
To work CAPTCHA for Guest users (for submitting Media reviews), we need to make sure that the session save path is writeable, so the session variable for each user can be stored when he is working.
Options for setting "session save path" in your installation. These solutions were provided on forum.joomla.org by Dean Marshall. Preferred solution is to apply them in php.ini, but it can be apply in .htaccess too if you don't have access to the bowels of your OS installation.
Best solution is to make the needed change in your php.ini file.
If you have a dedicated server, you can set the variable in the php configuration (php.ini). Just uncomment (remove the ; ). In front of the line ;session.save_path = "/tmp" change to session.save_path = "/tmp".
If you don't have access to that file, the best solution is to ask your provider to make the session_save_path writable. If they won't or cannot do that for you, you can still try the options below.
Also you can solve the problem by adding a line to your .htaccess file (Apache only) that looks something like this: php_value_session.save_path /usr/local/www/Joomla/sessions.
Adapt the path according to your actual installation. An added advantage of changing the session path instead of using the default /tmp is to keep all your session data out of public.
After fixing the session save path and restarting your webserver, the CAPTCHA images will show as they should.