Description
The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the 'stopbadbots_check_wordpress_logged_in_cookie' function in all versions up to, and including, 11.58. This makes it possible for unauthenticated attackers to bypass blocklists, rate limits, and other plugin functionality.
Published: 2025-08-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass allowing unauthenticated users to bypass blocklists, rate limits, and other anti‑spam controls
Action: Patch
AI Analysis

Impact

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin contains an insufficient capability check in the function 'stopbadbots_check_wordpress_logged_in_cookie'. This flaw lets unauthenticated users trigger the plugin’s filtering logic, enabling them to bypass configured blocklists, rate limits, and other anti‑spam mechanisms. The vulnerability is an authorization bypass weakness (CWE‑863) and does not provide arbitrary code execution or higher privileges.

Affected Systems

Any WordPress installation that has the Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin version 11.58 or earlier is affected. The description indicates that later releases may not yet address the issue, so administrators should verify the current plugin version against the vendor’s update notes.

Risk and Exploitability

The CVSS score of 6.5 classifies the flaw as moderate severity, while the EPSS score of < 1 % suggests a very low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves sending crafted HTTP requests to the plugin’s endpoints that invoke the vulnerable function; no authenticated role is required. Because the flaw erodes core anti‑spam protections, it should be remediated promptly.

Generated by OpenCVE AI on April 22, 2026 at 06:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the patched version that corrects the capability check.
  • If an upgrade is not immediately available, block unauthenticated access to the plugin’s endpoint URLs using web server rules, firewall settings, or WordPress role‑based access controls.
  • As a temporary measure, disable or reduce the blocklist and rate‑limit features until a permanent fix can be applied.

Generated by OpenCVE AI on April 22, 2026 at 06:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26082 The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the 'stopbadbots_check_wordpress_logged_in_cookie' function in all versions up to, and including, 11.58. This makes it possible for unauthenticated attackers to bypass blocklists, rate limits, and other plugin functionality.
History

Thu, 28 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 12:30:00 +0000

Type Values Removed Values Added
Description The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the 'stopbadbots_check_wordpress_logged_in_cookie' function in all versions up to, and including, 11.58. This makes it possible for unauthenticated attackers to bypass blocklists, rate limits, and other plugin functionality.
Title Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection <= 11.58 - Insufficient Authorization to Unauthenticated Blocklist Bypass
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:10.612Z

Reserved: 2025-08-22T23:42:07.806Z

Link: CVE-2025-9376

cve-icon Vulnrichment

Updated: 2025-08-28T13:35:12.977Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T12:15:39.280

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses