CVE-2025-10745 MEDIUM

CVE-2025-10745: Banhammer – Monitor Site Traffic, Block Bad Users and Bots <= 3.4.8 - Unauthenticated Protection Mechanism Bypass

Vendor Specialk
Product Banhammer – Monitor Site Traffic, Block Bad Users and Bots
Weakness CWE-330 · Insufficient randomness
Published September 26, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Banhammer – Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress is vulnerable to Blocking Bypass in all versions up to, and including, 3.4.8. This is due to a site-wide “secret key” being deterministically generated from a constant character set using md5() and base64_encode() and then stored in the `banhammer_secret_key` option. This makes it possible for unauthenticated attackers to bypass the plugin’s logging and blocking by appending a GET parameter named `banhammer-process_{SECRET}` where `{SECRET}` is the predictable value, thereby causing Banhammer to abort its protections for that request.

Explanation of Vulnerability in Simple Terms

02Summary

Banhammer versions 3.4.8 and earlier contain a use of insufficiently random values (CWE-330) that allows an attacker to predict or manipulate security tokens or identifiers. The vulnerability requires no authentication and can be exploited over the network. An attacker can compromise the integrity of site traffic monitoring and user-blocking decisions by forging or predicting tokens used by the plugin.

What an attacker can do

03Attacker Capabilities

Forge or predict security tokens to bypass traffic monitoring or user-blocking rules.

Potential impact on your site

04Site Impact

Attackers can evade bot detection and traffic controls, potentially allowing malicious traffic to reach your site.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

September 26, 2025 CVE published
April 8, 2026 Record updated