WordPress Blackhole for Bad Bots plugin <= 3.8 - Unauthenticated Stored Cross-Site Scripting via User-Agent HTTP Header vulnerability

Unauthenticated Stored Cross-Site Scripting via User-Agent HTTP Header vulnerability discovered by Huynh Pham Thanh Luc in WordPress Plugin Blackhole for Bad Bots versions = 3.8...

CVE-2026-4329 Blackhole for Bad Bots <= 3.8 - Unauthenticated Stored Cross-Site Scripting via User-Agent HTTP Header

The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitizetextfield when capturing bot data which...

CVE-2026-4329

The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitizetextfield when capturing bot data which...

CVE-2026-4329 Blackhole for Bad Bots <= 3.8 - Unauthenticated Stored Cross-Site Scripting via User-Agent HTTP Header

The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitizetextfield when capturing bot data which...

PT-2026-28202

The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize text field when capturing bot data whic...

When Handshakes Tell the Truth: Detecting Web Bad Bots Via TLS Fingerprints

Automated traffic continued to surpass human-generated traffic on the web, and a rising proportion of this automation was explicitly malicious. Evasive bots could pretend to be real users, even solve Captchas and mimic human interaction patterns. This work explores a less intrusive, protocol-leve...

CVE-2022-0949

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 6.930 does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbotsgravafingerprint AJAX action, available to unauthenticated users,...

EUVD-2021-11982

Malware in sbrugna...

EUVD-2022-43219

Malicious code in bioql PyPI...

EUVD-2024-43991

Malicious code in bioql PyPI...

EUVD-2022-24507

Malicious code in bioql PyPI...

EUVD-2025-26082

Malicious code in bioql PyPI...

EUVD-2023-36740

Malicious code in bioql PyPI...

PT-2025-34988

Name of the Vulnerable Software and Affected Versions: Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress versions through 11.58 Description: The plugin is susceptible to unauthorized data access due to an inadequate capability check within the...

WordPress plugin Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection 安全漏洞

WordPress and the WordPress plugin are products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. WordPress plugin Block Bad Bots and Stop Bad Bo...

CVE-2024-4355

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the stopbadbotsgetajaxdata function in all versions up to, and including, 10.23. This makes it possible for...

CVE-2023-32496

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Bill Minozzi Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin = 7.31 versions...

CVE-2022-1165

The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search...

CVE-2021-25070

The Block Bad Bots WordPress plugin before 6.88 does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue...

Hi, robot: Half of all internet traffic now automated

If you sometimes feel that the internet isn't the same vibrant place it used to be, you're not alone. New research suggests that most of the traffic traversing the network isn't human at all. Bots software programs that interact with web sites have been ubiquitous for years. But in its 2025 Bad B...