CVE-2025-10745: 
WordPress vulnerability analysis and mitigation

The Banhammer WordPress plugin (versions up to 3.4.8) contains a vulnerability identified as CVE-2025-10745, discovered on September 25, 2025. This security flaw affects the plugin's traffic monitoring and blocking functionality, which is designed to protect WordPress sites from malicious users and bots (NVD).

The vulnerability stems from the plugin's implementation of a site-wide 'secret key' that is deterministically generated using md5() and base64encode() functions from a constant character set. The key is stored in the 'banhammersecret_key' option. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The weakness is classified as CWE-330 (Use of Insufficiently Random Values) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to bypass the plugin's logging and blocking protections. This is achieved by appending a predictable GET parameter named 'banhammer-process_{SECRET}' to requests, causing Banhammer to abort its protective measures for that specific request (NVD).

The vulnerability was addressed in version 3.4.9 of the Banhammer plugin, released on September 22, 2025. The update improves randomization for secret key and target key generation by implementing wpgeneratepassword() instead of the previous deterministic method (WordPress Changeset).