The hash of the WPS PIN doesn't leave the router. It is stored on the router.
Client and router perform a Diffie-Hellman key exchange and then use hashes of the PIN and the exchanged keys to prove to each other knowledge of the PIN. The only way to obtain the PIN is to obtain physical access to the router and somehow extract it from its memory.
But that doesn't mean WPS with PIN is secure. Most wifi routers don't rate-limit the amount of PIN entries. WPS pin's are limited to 8 digits of 0-9. That's already weak, but it gets even weaker because the 8th digit is just a checksum calculated from the other 7 and the access point already gives a feedback when the first 4 digits of the pin are correct. That means WPS with PIN can often be brute-forced in about a day.
A more secure variant of WPS is the push-button method where you press a physical button on the router and then have a few minutes to connect new devices. You just need to hope that :
- no attacker comes around in that time window and
- no attacker gets physical access to your wifi router and
- your router actually allows you to deactivate WPS with PIN while still allowing WPS with push-button. Many don't.
Bottom-line: If you want a secure home WiFi network, specifically look for a WiFi router which does not support WPS or at least allows to disable it.