CVE-2025-10745
BaseFortify
Publication date: 2025-09-26
Last updated on: 2025-09-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeff_starr | banhammer | 3.4.9 |
| jeff_starr | banhammer | 3.4.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Banhammer WordPress plugin where a site-wide secret key is generated in a predictable way using md5() and base64_encode(). Because the secret key is predictable, an unauthenticated attacker can bypass the plugin's logging and blocking features by appending a specially crafted GET parameter containing the secret key to their request. This causes the plugin to skip its protections for that request.
How can this vulnerability impact me? :
An attacker can bypass the Banhammer plugin's blocking and logging mechanisms, allowing malicious users or bots to access the site without being detected or blocked. This could lead to increased unwanted traffic, potential abuse, or exploitation of other vulnerabilities since the plugin's protections are effectively disabled for those requests.