{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4329", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T13:48:17.099Z", "datePublished": "2026-03-26T03:37:28.864Z", "dateUpdated": "2026-04-08T17:13:36.396Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:36.396Z"}, "affected": [{"vendor": "specialk", "product": "Blackhole for Bad Bots", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() when capturing bot data (which strips HTML tags but does not escape HTML entities like double quotes), then stores the data via update_option(). When an administrator views the Bad Bots log page, the stored data is output directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the Blackhole Bad Bots admin page."}], "title": "Blackhole for Bad Bots <= 3.8 - Unauthenticated Stored Cross-Site Scripting via User-Agent HTTP Header", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a71992e2-fdac-4e89-8867-4b771d9b4374?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L85"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L79"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L79"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L85"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/blackhole-helpers.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/blackhole-helpers.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/blackhole-core.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/blackhole-core.php#L180"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487350%40blackhole-bad-bots&new=3487350%40blackhole-bad-bots&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "tadokun"}], "timeline": [{"time": "2026-03-17T15:25:26.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4329", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:35:27.255282Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:51:15.986Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4329", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:35:27.255282Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:48:25.179Z"}}], "cna": {"title": "Blackhole for Bad Bots <= 3.8 - Unauthenticated Stored Cross-Site Scripting via User-Agent HTTP Header", "credits": [{"lang": "en", "type": "finder", "value": "tadokun"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "specialk", "product": "Blackhole for Bad Bots", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-17T15:25:26.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-25T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a71992e2-fdac-4e89-8867-4b771d9b4374?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L85"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L79"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L79"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L85"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/blackhole-helpers.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/blackhole-helpers.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/blackhole-core.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/blackhole-core.php#L180"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487350%40blackhole-bad-bots&new=3487350%40blackhole-bad-bots&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() when capturing bot data (which strips HTML tags but does not escape HTML entities like double quotes), then stores the data via update_option(). When an administrator views the Bad Bots log page, the stored data is output directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the Blackhole Bad Bots admin page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:36.396Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4329", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:36.396Z", "dateReserved": "2026-03-17T13:48:17.099Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-26T03:37:28.864Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() when capturing bot data (which strips HTML tags but does not escape HTML entities like double quotes), then stores the data via update_option(). When an administrator views the Bad Bots log page, the stored data is output directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the Blackhole Bad Bots admin page."}, {"lang": "es", "value": "El plugin Blackhole for Bad Bots para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del encabezado HTTP User-Agent en todas las versiones hasta la 3.8 inclusive. Esto se debe a una sanitizaci\u00f3n de entrada insuficiente y un escape de salida inadecuado. El plugin utiliza sanitize_text_field() al capturar datos de bots (que elimina las etiquetas HTML pero no escapa las entidades HTML como las comillas dobles), luego almacena los datos a trav\u00e9s de update_option(). Cuando un administrador ve la p\u00e1gina de registro de Bad Bots, los datos almacenados se muestran directamente en los atributos de valor de entrada HTML (l\u00edneas 75-83) sin esc_attr() y en el contenido de los elementos span HTML sin esc_html(). Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios que se ejecutan cuando un administrador ve la p\u00e1gina de administraci\u00f3n de Blackhole Bad Bots."}], "id": "CVE-2026-4329", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-26T05:16:40.287", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L79"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/badbots-register.php#L85"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/blackhole-core.php#L180"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/tags/3.8/inc/blackhole-helpers.php#L22"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L79"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/badbots-register.php#L85"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/blackhole-core.php#L180"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blackhole-bad-bots/trunk/inc/blackhole-helpers.php#L22"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487350%40blackhole-bad-bots&new=3487350%40blackhole-bad-bots&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a71992e2-fdac-4e89-8867-4b771d9b4374?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Blackhole for Bad Bots", "source": "cna", "vendor": "specialk"}, "product": "blackhole_for_bad_bots", "vendor": "specialk"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T05:22:18.650963+00:00", "value": {"mitigation_remediation": ["Update Blackhole for Bad Bots to the latest available version (3.9 or later).", "If an update is not available, disable or uninstall the plugin to remove the vulnerable code.", "Verify that your WordPress core and all other plugins are updated to reduce the risk of similar input handling issues."], "summary": {"action": "Update plugin", "impact": "Stored cross-site scripting in the plugin\u2019s admin log page"}, "threat_synthesis": {"affected_systems": "This vulnerability affects all versions of the Blackhole for Bad Bots plugin up to and including 3.8. Servers running WordPress with this plugin installed, regardless of other configurations, are susceptible if the plugin is active.", "description_and_impact": "The Blackhole for Bad Bots plugin for WordPress contains a stored cross\u2011site scripting flaw that allows malicious content to be injected into the User\u2011Agent HTTP header. When an attacker submits a crafted header, the plugin stores the value without proper escaping. When an administrator later views the Bad Bots log page, the stored value is output directly into HTML input elements and span tags, enabling arbitrary JavaScript execution in the admin browser.", "risk_and_exploitability": "The CVSS score for this issue is 7.2, indicating a high risk impact. Although EPSS data is not available and the issue is not listed in CISA's KEV catalog, the flaw can be exploited remotely by manipulating the User\u2011Agent header; an attacker needs only to ensure that an administrator views the log page to trigger the malicious script. The resulting cross\u2011site scripting can allow an attacker to hijack the administrator session, steal credentials, or perform malicious actions within the WordPress site."}}}}, "created": "2026-03-26T11:30:37.320902+00:00", "updated": "2026-03-26T12:08:37.243651+00:00", "vendors": ["specialk", "specialk$PRODUCT$blackhole_for_bad_bots", "wordpress", "wordpress$PRODUCT$wordpress"]}