CVE-2026-10552
Deferred Deferred - Pending Action

Cross-Site Request Forgery in Blue Captcha WordPress Plugin

Vulnerability report for CVE-2026-10552, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: Wordfence

Description

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel (blcap_main_page) and on the Hall of Shame and Log subpages, which accept a 'blcap_action' / 'action' parameter from $_REQUEST and perform destructive operations (plugin uninstall via blcap_uninstall(), log deletion via blcap_delete_logs(), Hall of Shame deletion via blcap_delete_ip_db(), and adding IPs to the banned list via update_option('blcap_settings')) with no wp_verify_nonce(), check_admin_referer(), or check_ajax_referer() calls anywhere in the codebase. This makes it possible for unauthenticated attackers to uninstall the plugin, delete audit logs, remove Hall of Shame entries, and add arbitrary IP addresses to the block list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
blue_captcha blue_captcha to 2.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves Cross-Site Request Forgery (CSRF) attacks targeting the Blue Captcha WordPress plugin's admin panel and specific subpages. Detection would involve monitoring for suspicious HTTP requests that include parameters such as 'blcap_action' or 'action' performing destructive operations without proper nonce validation.

To detect potential exploitation attempts on your system or network, you can analyze web server logs for unusual POST or GET requests to the Blue Captcha plugin admin URLs containing these parameters.

Example commands to search for suspicious requests in Apache or Nginx logs might include:

  • grep -i 'blcap_action' /var/log/apache2/access.log
  • grep -i 'action=blcap_uninstall' /var/log/nginx/access.log
  • grep -i 'action=blcap_delete_logs' /var/log/apache2/access.log
  • grep -i 'action=blcap_delete_ip_db' /var/log/nginx/access.log

Additionally, monitoring for unexpected changes such as plugin uninstallation, deletion of logs, or modification of banned IP lists in the WordPress admin interface can indicate exploitation.

Executive Summary

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 2.0.1. This vulnerability arises because the plugin's main admin panel and certain subpages accept parameters from user requests without proper nonce validation. Specifically, destructive operations like uninstalling the plugin, deleting logs, removing entries from the Hall of Shame, and adding IP addresses to the banned list can be triggered without verifying the authenticity of the request.

As a result, an attacker can trick a site administrator into performing these actions by making them click on a malicious link, leading to unauthorized changes on the site.

Impact Analysis

This vulnerability can allow an attacker to perform unauthorized destructive actions on your WordPress site if they can trick an administrator into clicking a malicious link. These actions include uninstalling the Blue Captcha plugin, deleting audit logs, removing entries from the Hall of Shame, and adding arbitrary IP addresses to the block list.

Such actions can disrupt your site's security measures, remove evidence of malicious activity, and potentially block legitimate users or allow attackers to manipulate access controls.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform destructive actions such as uninstalling the plugin, deleting audit logs, removing entries from the Hall of Shame, and adding arbitrary IP addresses to the block list by tricking a site administrator into clicking a forged request.

Deleting audit logs and modifying security-related settings without proper authorization can undermine the integrity and availability of security controls, which may negatively impact compliance with standards and regulations that require maintaining audit trails and protecting administrative functions, such as GDPR and HIPAA.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Mitigation Strategies

To mitigate this vulnerability, immediately update the Blue Captcha plugin to a version later than 2.0.1 where the nonce validation issues are fixed.

If an update is not immediately available, consider temporarily disabling or uninstalling the Blue Captcha plugin to prevent exploitation.

Additionally, restrict access to the WordPress admin panel to trusted IP addresses and ensure that administrators are cautious about clicking on suspicious links that could trigger CSRF attacks.

Implementing Web Application Firewall (WAF) rules to block requests containing suspicious 'blcap_action' or 'action' parameters can also help reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10552. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart