CVE-2025-9376

MEDIUM

Block Bad Bots <= 11.58 - Unauthenticated Incorrect Authorization

Title source: llm

Description

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the 'stopbadbots_check_wordpress_logged_in_cookie' function in all versions up to, and including, 11.58. This makes it possible for unauthenticated attackers to bypass blocklists, rate limits, and other plugin functionality.

References (4)

Core 4

Core References

Product

https://plugins.trac.wordpress.org/browser/stopbadbots/trunk/stopbadbots.php#L1958

Product

https://plugins.trac.wordpress.org/changeset/3350927/

Product

https://plugins.trac.wordpress.org/changeset/3351023/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/8d6b0d86-3cb4-4723-b677-141c604f00cc?source=cve

Scores

CVSS v3 6.5

EPSS 0.0033

EPSS Percentile 24.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (1)

sminozzi/Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection < 11.58

Published Aug 28, 2025

Tracked Since Feb 18, 2026