Description
The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel (blcap_main_page) and on the Hall of Shame and Log subpages, which accept a 'blcap_action' / 'action' parameter from $_REQUEST and perform destructive operations (plugin uninstall via blcap_uninstall(), log deletion via blcap_delete_logs(), Hall of Shame deletion via blcap_delete_ip_db(), and adding IPs to the banned list via update_option('blcap_settings')) with no wp_verify_nonce(), check_admin_referer(), or check_ajax_referer() calls anywhere in the codebase. This makes it possible for unauthenticated attackers to uninstall the plugin, delete audit logs, remove Hall of Shame entries, and add arbitrary IP addresses to the block list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Blue Captcha plugin for WordPress suffers from missing or incorrect nonce validation on several admin pages, including the main panel and its subpages. Because the actions "blcap_action" and "action" are taken directly from $_REQUEST without any wp_verify_nonce(), check_admin_referer(), or check_ajax_referer() checks, an attacker can craft a forged request that an administrator will unknowingly trigger. This allows destructive operations such as uninstalling the plugin, deleting audit logs, wiping Hall of Shame entries, and adding arbitrary IP addresses to the block list.

Affected Systems

WordPress sites running the Blue Captcha plugin version 2.0.1 or earlier, as distributed by the vendor jotis. Any installation of these versions is vulnerable regardless of the WordPress core version or other plugins.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The exploit requires an attacker to trick a site administrator into opening a specially crafted link or form; thus, it relies on social engineering rather than privilege escalation. Sites with an active WordPress admin who has access to the Blue Captcha pages are at risk of having the plugin uninstalled, logs erased, or IP addresses added to the block list.

Generated by OpenCVE AI on June 24, 2026 at 09:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Blue Captcha release, which includes proper CSRF checks on admin actions.
  • If an upgrade is not possible, deactivate or uninstall the plugin until a patched version becomes available.
  • Limit administrative access to a small set of trusted users, enforce HTTPS, and consider using a security plugin that detects and blocks anomalous blcap_action requests.

Generated by OpenCVE AI on June 24, 2026 at 09:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel (blcap_main_page) and on the Hall of Shame and Log subpages, which accept a 'blcap_action' / 'action' parameter from $_REQUEST and perform destructive operations (plugin uninstall via blcap_uninstall(), log deletion via blcap_delete_logs(), Hall of Shame deletion via blcap_delete_ip_db(), and adding IPs to the banned list via update_option('blcap_settings')) with no wp_verify_nonce(), check_admin_referer(), or check_ajax_referer() calls anywhere in the codebase. This makes it possible for unauthenticated attackers to uninstall the plugin, delete audit logs, remove Hall of Shame entries, and add arbitrary IP addresses to the block list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Blue Captcha <= 2.0.1 - Cross-Site Request Forgery via 'blcap_action' Parameter
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:26.283Z

Reserved: 2026-06-01T13:52:47.971Z

Link: CVE-2026-10552

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)