CVE-2025-1361

CWE-285 CWE-862 — Missing Authorization3 documents3 sources

Severity

5.3MEDIUM

EPSS

0.2%

top 61.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ip2location Country Blocker Ip2location Ip2location Country Blocker

Timeline

PublishedFeb 22

Description

The IP2Location Country Blocker plugin for WordPress is vulnerable to Regular Information Exposure in all versions up to, and including, 2.38.8 due to missing capability checks on the admin_init() function. This makes it possible for unauthenticated attackers to view the plugin's settings.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDip2location/country_blocker< 2.38.9

▶CVEListV5ip2location/ip2location_country_blocker2.38.8

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

IP2Location Country Blocker <= 2.38.8 - Missing Authorization to Unauthenticated Information Exposure via admin_init Function↗2025-02-22

▶

GHSA

GHSA-xrwv-8jhj-x69w: The IP2Location Country Blocker plugin for WordPress is vulnerable to Regular Information Exposure in all versions up to, and including, 2↗2025-02-22

▶