CVE-2022-1165

Published: Apr 4, 2022Modified: Nov 21, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more.

Affected (1)

Products: Plugin Planet: Blackhole For Bad Bots

1 product

Blackhole For Bad Bots

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Plugin Planet Blackhole For Bad Bots	Before 3.3.2

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://plugins.trac.wordpress.org/changeset/2666486

Source: contact@wpscan.com

PatchThird Party Advisory

https://wpscan.com/vulnerability/10d85913-ea8c-4c2e-a32e-fa61cf191710

Source: contact@wpscan.com

ExploitThird Party Advisory

https://plugins.trac.wordpress.org/changeset/2666486

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://wpscan.com/vulnerability/10d85913-ea8c-4c2e-a32e-fa61cf191710

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.