WordPress Plugin Vulnerabilities

Blackhole for Bad Bots < 3.3.2 - Arbitrary IP Address Blocking via IP Spoofing

Description

The plugin uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more.

Proof of Concept

curl -H 'CF-CONNECTING-IP: 128.0.0.1' https://example.com/?blackhole=....

Replace 128.0.0.1 with any valid Google IP address to get Google blocked.

Affects Plugins

Plugin icon
blackhole-bad-bots
Fixed in 3.3.2

References

CVE
CVE-2022-1165
URL
https://plugins.trac.wordpress.org/changeset/2666486

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Verified
Yes
WPVDB ID
10d85913-ea8c-4c2e-a32e-fa61cf191710

Timeline

Publicly Published
2022-01-31 (about 2 years ago)
Added
2022-01-31 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2010-12-15
Title
Cforms & CformsII <= 14.10.1 - CAPTCHA Bypass
Published
2020-09-22
Title
Ninja Forms < 3.4.27.1 - Validation Bypass via Email Field
Published
2017-01-26
Title
WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
Published
2019-01-25
Title
Total Donations - Update Arbitrary WordPress Option Values
Published
2015-06-10
Title
Paypal Currencucy Converter Basic For Woocommerce <= 1.3 - File Read