CVE-2025-9376

Published: Aug 28, 2025Modified: Aug 29, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Exploitability: 3.9 / Impact: 2.5

Source: security@wordfence.com (Secondary)

Description

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the 'stopbadbots_check_wordpress_logged_in_cookie' function in all versions up to, and including, 11.58. This makes it possible for unauthenticated attackers to bypass blocklists, rate limits, and other plugin functionality.

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://plugins.trac.wordpress.org/browser/stopbadbots/trunk/stopbadbots.php#L1958

Source: security@wordfence.com

https://plugins.trac.wordpress.org/changeset/3350927/

Source: security@wordfence.com

https://plugins.trac.wordpress.org/changeset/3351023/

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/8d6b0d86-3cb4-4723-b677-141c604f00cc?source=cve

Source: security@wordfence.com

Timeline

No history available yet.