Security vulnerabilities in Blackhole for Bad Bots (2)
Blocklist bypass through user agent spoofing – (Blackhole for Bad Bots <= 3.3.3)
A malicious bot spoofing his User-Agent header to one in the plugin’s allowlist can bypass the plugin’s full functionality.
DOS through IP spoofing – (Blackhole for Bad Bots <= 3.3.3)
An attacker can use IP spoofing to ban legitimate users, search-engine crawlers, or a site’s reverse proxy. This becomes possible as soon as a site owner changes the default IP source of the plugin by using the “blackhole_ip_keys” filter.