CVE-2021-25095

CWE-352Cross-Site Request Forgery (CSRF)CWE-862Missing AuthorizationCWE-284Improper Access Control3 documents3 sources
Severity
7.1HIGH
EPSS
0.1%
top 64.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Ip2location Country BlockerIp2location Country Blocker
Timeline
PublishedFeb 7
Latest updateFeb 8

Description

The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

CVEListV5unknown/ip2location_country_blocker2.26.52.26.5

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-hgh9-57mp-975h: The IP2Location Country Blocker WordPress plugin before 22022-02-08
CVEList
IP2Location Country Blocker < 2.26.5 - Subscriber+ Arbitrary Country Ban2022-02-07
CVE-2021-25095 (HIGH CVSS 7.1) | The IP2Location Country Blocker Wor | cvebase.io