What the vulnerability does
01Description
The Banhammer – Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress is vulnerable to Blocking Bypass in all versions up to, and including, 3.4.8. This is due to a site-wide “secret key” being deterministically generated from a constant character set using md5() and base64_encode() and then stored in the `banhammer_secret_key` option. This makes it possible for unauthenticated attackers to bypass the plugin’s logging and blocking by appending a GET parameter named `banhammer-process_{SECRET}` where `{SECRET}` is the predictable value, thereby causing Banhammer to abort its protections for that request.
Explanation of Vulnerability in Simple Terms
02Summary
Banhammer versions 3.4.8 and earlier contain a use of insufficiently random values (CWE-330) that allows an attacker to predict or manipulate security tokens or identifiers. The vulnerability requires no authentication and can be exploited over the network. An attacker can compromise the integrity of site traffic monitoring and user-blocking decisions by forging or predicting tokens used by the plugin.
What an attacker can do
03Attacker Capabilities
Forge or predict security tokens to bypass traffic monitoring or user-blocking rules.
Potential impact on your site
04Site Impact
Attackers can evade bot detection and traffic controls, potentially allowing malicious traffic to reach your site.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
September 26, 2025
CVE published
April 8, 2026
Record updated