Description
The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() when capturing bot data (which strips HTML tags but does not escape HTML entities like double quotes), then stores the data via update_option(). When an administrator views the Bad Bots log page, the stored data is output directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the Blackhole Bad Bots admin page.
Published: 2026-03-26
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross-site scripting in the plugin’s admin log page
Action: Update plugin
AI Analysis

Impact

The Blackhole for Bad Bots plugin for WordPress contains a stored cross‑site scripting flaw that allows malicious content to be injected into the User‑Agent HTTP header. When an attacker submits a crafted header, the plugin stores the value without proper escaping. When an administrator later views the Bad Bots log page, the stored value is output directly into HTML input elements and span tags, enabling arbitrary JavaScript execution in the admin browser.

Affected Systems

This vulnerability affects all versions of the Blackhole for Bad Bots plugin up to and including 3.8. Servers running WordPress with this plugin installed, regardless of other configurations, are susceptible if the plugin is active.

Risk and Exploitability

The CVSS score for this issue is 7.2, indicating a high risk impact. Although EPSS data is not available and the issue is not listed in CISA's KEV catalog, the flaw can be exploited remotely by manipulating the User‑Agent header; an attacker needs only to ensure that an administrator views the log page to trigger the malicious script. The resulting cross‑site scripting can allow an attacker to hijack the administrator session, steal credentials, or perform malicious actions within the WordPress site.

Generated by OpenCVE AI on March 26, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Blackhole for Bad Bots to the latest available version (3.9 or later).
  • If an update is not available, disable or uninstall the plugin to remove the vulnerable code.
  • Verify that your WordPress core and all other plugins are updated to reduce the risk of similar input handling issues.

Generated by OpenCVE AI on March 26, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Specialk
Specialk blackhole For Bad Bots
Wordpress
Wordpress wordpress
Vendors & Products Specialk
Specialk blackhole For Bad Bots
Wordpress
Wordpress wordpress

Thu, 26 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
Description The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() when capturing bot data (which strips HTML tags but does not escape HTML entities like double quotes), then stores the data via update_option(). When an administrator views the Bad Bots log page, the stored data is output directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the Blackhole Bad Bots admin page.
Title Blackhole for Bad Bots <= 3.8 - Unauthenticated Stored Cross-Site Scripting via User-Agent HTTP Header
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Specialk Blackhole For Bad Bots
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:36.396Z

Reserved: 2026-03-17T13:48:17.099Z

Link: CVE-2026-4329

cve-icon Vulnrichment

Updated: 2026-03-26T17:48:25.179Z

cve-icon NVD

Status : Deferred

Published: 2026-03-26T05:16:40.287

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-4329

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:08:37Z

Weaknesses