**Name of the Vulnerable Software and Affected Versions**

Banhammer – Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress versions through 3.4.8

**Description**

The Banhammer plugin for WordPress is susceptible to a blocking bypass. This occurs because a site-wide “secret key” is predictably generated using md5() and base64 encode() from a constant character set and stored in the `banhammer secret key` option. Unauthenticated attackers can bypass the plugin’s logging and blocking mechanisms by appending a GET parameter named `banhammer-process {SECRET}` where `{SECRET}` is the predictable key value. This causes Banhammer to disable its protections for that specific request.

**Recommendations**

Update to a version later than 3.4.8.