{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4329", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T13:48:17.099Z", "datePublished": "2026-03-26T03:37:28.864Z", "dateUpdated": "2026-03-26T03:37:28.864Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-26T03:37:28.864Z"}, "affected": [{"vendor": "specialk", "product": "Blackhole for Bad Bots", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() when capturing bot data (which strips HTML tags but does not escape HTML entities like double quotes), then stores the data via update_option(). When an administrator views the Bad Bots log page, the stored data is output directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the Blackhole Bad Bots admin page."}], "title": "Blackhole for Bad Bots <= 3.8 - Unauthenticated Stored Cross-Site Scripting via User-Agent HTTP Header", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a71992e2-fdac-4e89-8867-4b771d9b4374?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L85"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L79"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L79"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L85"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/blackhole-helpers.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/blackhole-helpers.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/blackhole-core.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/blackhole-core.php#L180"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487350%40blackhole-bad-bots&new=3487350%40blackhole-bad-bots&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Huynh Pham Thanh Luc"}], "timeline": [{"time": "2026-03-17T15:25:26.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() when capturing bot data (which strips HTML tags but does not escape HTML entities like double quotes), then stores the data via update_option(). When an administrator views the Bad Bots log page, the stored data is output directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the Blackhole Bad Bots admin page."}], "id": "CVE-2026-4329", "lastModified": "2026-03-26T05:16:40.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-26T05:16:40.287", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L79"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L85"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/blackhole-core.php#L180"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/blackhole-helpers.php#L22"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L79"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L85"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/blackhole-core.php#L180"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/blackhole-helpers.php#L22"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487350%40blackhole-bad-bots&new=3487350%40blackhole-bad-bots&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a71992e2-fdac-4e89-8867-4b771d9b4374?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Blackhole for Bad Bots", "source": "cna", "vendor": "specialk"}, "product": "blackhole_for_bad_bots", "vendor": "specialk"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T05:22:18.650963+00:00", "value": {"mitigation_remediation": ["Update Blackhole for Bad Bots to the latest available version (3.9 or later).", "If an update is not available, disable or uninstall the plugin to remove the vulnerable code.", "Verify that your WordPress core and all other plugins are updated to reduce the risk of similar input handling issues."], "summary": {"action": "Update plugin", "impact": "Stored cross-site scripting in the plugin\u2019s admin log page"}, "threat_synthesis": {"affected_systems": "This vulnerability affects all versions of the Blackhole for Bad Bots plugin up to and including 3.8. Servers running WordPress with this plugin installed, regardless of other configurations, are susceptible if the plugin is active.", "description_and_impact": "The Blackhole for Bad Bots plugin for WordPress contains a stored cross\u2011site scripting flaw that allows malicious content to be injected into the User\u2011Agent HTTP header. When an attacker submits a crafted header, the plugin stores the value without proper escaping. When an administrator later views the Bad Bots log page, the stored value is output directly into HTML input elements and span tags, enabling arbitrary JavaScript execution in the admin browser.", "risk_and_exploitability": "The CVSS score for this issue is 7.2, indicating a high risk impact. Although EPSS data is not available and the issue is not listed in CISA's KEV catalog, the flaw can be exploited remotely by manipulating the User\u2011Agent header; an attacker needs only to ensure that an administrator views the log page to trigger the malicious script. The resulting cross\u2011site scripting can allow an attacker to hijack the administrator session, steal credentials, or perform malicious actions within the WordPress site."}}}}, "created": "2026-03-26T11:30:37.320902+00:00", "updated": "2026-03-26T12:08:37.243651+00:00", "vendors": ["specialk", "specialk$PRODUCT$blackhole_for_bad_bots", "wordpress", "wordpress$PRODUCT$wordpress"]}