CVE-2026-10552
Received Received - Intake
Cross-Site Request Forgery in Blue Captcha WordPress Plugin

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Wordfence

Description
The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel (blcap_main_page) and on the Hall of Shame and Log subpages, which accept a 'blcap_action' / 'action' parameter from $_REQUEST and perform destructive operations (plugin uninstall via blcap_uninstall(), log deletion via blcap_delete_logs(), Hall of Shame deletion via blcap_delete_ip_db(), and adding IPs to the banned list via update_option('blcap_settings')) with no wp_verify_nonce(), check_admin_referer(), or check_ajax_referer() calls anywhere in the codebase. This makes it possible for unauthenticated attackers to uninstall the plugin, delete audit logs, remove Hall of Shame entries, and add arbitrary IP addresses to the block list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-10552
EUVD
EUVD-2026-38669
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
blue_captcha blue_captcha to 2.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 2.0.1. This vulnerability arises because the plugin's main admin panel and certain subpages accept parameters from user requests without proper nonce validation. Specifically, destructive operations like uninstalling the plugin, deleting logs, removing entries from the Hall of Shame, and adding IP addresses to the banned list can be triggered without verifying the authenticity of the request.

As a result, an attacker can trick a site administrator into performing these actions by making them click on a malicious link, leading to unauthorized changes on the site.

Impact Analysis

This vulnerability can allow an attacker to perform unauthorized destructive actions on your WordPress site if they can trick an administrator into clicking a malicious link. These actions include uninstalling the Blue Captcha plugin, deleting audit logs, removing entries from the Hall of Shame, and adding arbitrary IP addresses to the block list.

Such actions can disrupt your site's security measures, remove evidence of malicious activity, and potentially block legitimate users or allow attackers to manipulate access controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10552. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart