Blackhole for Bad Bots Stored Cross-Site Scripting Vulnerability via User-Agent Header

A stored cross-site scripting vulnerability has been identified in the Blackhole for Bad Bots WordPress plugin, affecting all versions up to and including 3.8. The issue arises from inadequate input sanitization and output escaping. The plugin captures bot data using the User-Agent HTTP header, applies minimal sanitization, and stores it in the WordPress database. When an administrator accesses the Bad Bots log page, the injected scripts are executed, as the data is displayed without proper escaping. This vulnerability allows unauthenticated attackers to execute arbitrary scripts in the admin context.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the Bad Bots log page.

Reproduction

To reproduce this vulnerability, send a request to a WordPress site with the User-Agent header modified to include a script payload. The Blackhole for Bad Bots plugin must be active. Once the payload is injected, an administrator can view the Bad Bots log page to see the script executed.

Remediation

Users are advised to update the Blackhole for Bad Bots plugin to version 3.8.1 or later.