CVE-2021-25095

IP2Location Country Blocker < 2.26.5 - Subscriber+ Arbitrary Country Ban

EPSS 0.5%CWE-352 CWE-862

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

07 Feb 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

Affected products

Unknown · IP2Location Country Blocker

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/2652469 https://wpscan.com/vulnerability/cbfa7211-ac1f-4cf2-bd79-ebce2fc4baa1