Blue Captcha
Monthly
Cross-Site Request Forgery in the Blue Captcha WordPress plugin (versions ≤ 2.0.1) allows unauthenticated attackers to trigger destructive administrative operations - including plugin uninstall, audit log deletion, Hall of Shame wipe, and arbitrary IP blocklist manipulation - by tricking a logged-in administrator into clicking a crafted link. The root cause is a complete absence of nonce validation (`wp_verify_nonce`, `check_admin_referer`, `check_ajax_referer`) across all admin handler entry points, confirmed by Wordfence with direct source code references. No public exploit has been identified at time of analysis, and no patched version has been confirmed.
Cross-Site Request Forgery in the Blue Captcha WordPress plugin (versions ≤ 2.0.1) allows unauthenticated attackers to trigger destructive administrative operations - including plugin uninstall, audit log deletion, Hall of Shame wipe, and arbitrary IP blocklist manipulation - by tricking a logged-in administrator into clicking a crafted link. The root cause is a complete absence of nonce validation (`wp_verify_nonce`, `check_admin_referer`, `check_ajax_referer`) across all admin handler entry points, confirmed by Wordfence with direct source code references. No public exploit has been identified at time of analysis, and no patched version has been confirmed.