CVE-2021-25108

CWE-352Cross-Site Request Forgery (CSRF)3 documents3 sources
Severity
7.1HIGH
EPSS
0.1%
top 74.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Ip2location Country BlockerIp2location Country Blocker
Timeline
PublishedFeb 7
Latest updateFeb 8

Description

The IP2Location Country Blocker WordPress plugin before 2.26.6 does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

CVEListV5unknown/ip2location_country_blocker2.26.62.26.6

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-r5r8-g427-8mp7: The IP2Location Country Blocker WordPress plugin before 22022-02-08
CVEList
IP2Location Country Blocker < 2.26.6 - Arbitrary Country Ban via CSRF2022-02-07
CVE-2021-25108 (HIGH CVSS 7.1) | The IP2Location Country Blocker Wor | cvebase.io