CVE-2022-1165
CRITICALBlackhole for Bad Bots < 3.3.2 - IP Spoofing via Custom Headers
Title source: llmDescription
The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/10d85913-ea8c-4c2e-a32e-fa61cf191710
Patch, Third Party Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2666486
Scores
CVSS v3
9.1
EPSS
0.0164
EPSS Percentile
73.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-639
Status
published
Products (1)
plugin-planet/blackhole_for_bad_bots
< 3.3.2
Published
Apr 04, 2022
Tracked Since
Feb 18, 2026