CVE-2026-4329

Name of the Vulnerable Software and Affected Versions Blackhole for Bad Bots versions prior to 3.9

Description The Blackhole for Bad Bots plugin for WordPress is susceptible to Stored Cross-Site Scripting through the User-Agent HTTP header. This occurs because of inadequate input sanitization and output escaping. The plugin utilizes sanitize text field() to capture bot data, which removes HTML tags but does not escape HTML entities. The data is then stored using update option(). When an administrator views the Bad Bots log page, the stored data is directly inserted into HTML input value attributes (lines 75-83) without esc attr() and into HTML span content without esc html(). This allows unauthenticated attackers to inject malicious web scripts that execute when an administrator accesses the Blackhole Bad Bots admin page.

Recommendations Update Blackhole for Bad Bots to version 3.9 or later.