Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-30
CVE-2026-4329 - Blackhole For Bad Bots Plugin
The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() when capturing bot data (which strips HTML tags but does not escape HTML entities like double quotes), then stores the data via update_option(). When an administrator views the Bad Bots log page, the stored data is output directly into HTML input value attributes (lines 75-83) without esc_attr() and into…
PLUGIN
Blackhole For Bad Bots
CVE-2026-4329
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1165 - Blackhole For Bad Bots Plugin
The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more.
PLUGIN
Blackhole For Bad Bots
CVE-2022-1165
Risk Score