Blackhole for Bad Bots WordPress Plugin Stored XSS Vulnerability

The Blackhole for Bad Bots plugin for WordPress, up to and including version 3.8, contains a stored cross-site scripting (XSS) vulnerability. The vulnerability stems from insufficient input sanitization and output escaping of the User-Agent HTTP header when capturing bot data. Specifically, the plugin uses sanitize_text_field() which strips HTML tags but does not escape HTML entities. This data is then stored using update_option() and later displayed on the Bad Bots log page. The stored data is output into HTML input value attributes and HTML span content without proper escaping via esc_attr() or esc_html(). This allows an unauthenticated attacker to inject arbitrary web scripts that are executed when an administrator views the Blackhole Bad Bots admin page, potentially leading to privilege escalation or other malicious actions.

Attack Chain

1. An unauthenticated attacker sends a request to the WordPress site with a malicious User-Agent header containing XSS payload.
2. The Blackhole for Bad Bots plugin captures the User-Agent string using sanitize_text_field(), which inadequately sanitizes the input.
3. The plugin stores the inadequately sanitized User-Agent string in the WordPress options database using update_option().
4. A WordPress administrator navigates to the Blackhole Bad Bots admin page.
5. The plugin retrieves the stored User-Agent strings from the database.
6. The plugin outputs the stored User-Agent string directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html() on the admin page.
7. The administrator’s browser executes the injected XSS payload.
8. The XSS payload can perform actions such as stealing the administrator’s session cookie, redirecting the administrator to a malicious site, or performing actions on behalf of the administrator.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute in the context of an administrator’s browser session. This can lead to various malicious outcomes, including account takeover, data theft, and defacement of the WordPress site. Given the widespread use of WordPress and the Blackhole for Bad Bots plugin, a successful exploit could impact a significant number of websites.

Recommendation

• Upgrade the Blackhole for Bad Bots plugin to a version greater than 3.8 to remediate CVE-2026-4329.
• Implement a Web Application Firewall (WAF) rule to filter requests containing suspicious User-Agent headers that might exploit CVE-2026-4329.
• Monitor web server logs for requests with unusual or potentially malicious User-Agent strings to detect potential exploitation attempts related to CVE-2026-4329.