WordPress Plugin Vulnerabilities

Blackhole for Bad Bots < 3.8.1 - Unauthenticated Stored Cross-Site Scripting via User-Agent HTTP Header

Description

The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() when capturing bot data (which strips HTML tags but does not escape HTML entities like double quotes), then stores the data via update_option(). When an administrator views the Bad Bots log page, the stored data is output directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the Blackhole Bad Bots admin page.

Affects Plugins

Plugin icon
blackhole-bad-bots
Fixed in 3.8.1

References

CVE
CVE-2026-4329
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a71992e2-fdac-4e89-8867-4b771d9b4374

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Huynh Pham Thanh Luc
Verified
No
WPVDB ID
7da0b78a-d9d4-4a62-a297-d73d44c1b768

Timeline

Publicly Published
2026-03-25 (about 1 month ago)
Added
2026-03-25 (about 1 month ago)
Last Updated
2026-03-26 (about 1 month ago)

Other

Published
Title
Published
2020-10-29
Title
WordPress < 5.5.2 - Stored XSS in Post Slugs
Published
2025-09-26
Title
Map Categories to Pages <= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-09-25
Title
Popup Maker < 1.21.0 - Contributor+ Stored XSS via title Parameter
Published
2023-05-22
Title
Leyka < 3.30.2 - Reflected XSS
Published
2015-01-25
Title
WP SlimStat <= 3.9.2 - Stored Cross-Site Scripting (XSS)