Vulnerability Details : CVE-2022-1165
The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more.
Products affected by CVE-2022-1165
- cpe:2.3:a:plugin-planet:blackhole_for_bad_bots:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-1165
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-1165
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:P |
10.0
|
4.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
3.9
|
5.2
|
NIST |
CWE ids for CVE-2022-1165
-
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Assigned by: contact@wpscan.com (Primary)
References for CVE-2022-1165
-
https://wpscan.com/vulnerability/10d85913-ea8c-4c2e-a32e-fa61cf191710
Attention Required! | CloudflareExploit;Third Party Advisory
-
https://plugins.trac.wordpress.org/changeset/2666486
Changeset 2666486 – WordPress Plugin RepositoryPatch;Third Party Advisory
Jump to