WordPress Plugin Vulnerabilities

IP2Location Redirection < 1.33.4 - Missing Authorization to Unauthenticated Settings Export

Description

The IP2Location Redirection plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'download_ip2location_redirection_backup' AJAX action in all versions up to, and including, 1.33.3. This makes it possible for unauthenticated attackers to download the plugin's settings.

Affects Plugins

Plugin icon
ip2location-redirection
Fixed in 1.33.4

References

CVE
CVE-2025-1502
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bca41dd8-5bd3-4fee-9f3f-feb8f1a4c687

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
9295ada9-917e-4d86-88bd-dd47a00d3050

Timeline

Publicly Published
2025-02-28 (about 1 year ago)
Added
2025-02-28 (about 1 year ago)
Last Updated
2025-03-01 (about 1 year ago)

Other

Published
Title
Published
2024-02-09
Title
Awesome Support – WordPress HelpDesk & Support Plugin < 6.1.8 - Missing Authorization via wpas_get_users()
Published
2026-01-19
Title
LearnPress – WordPress LMS Plugin < 4.3.2.5 - Missing Authorization to Unauthenticated Sensitive User Information Disclosure via REST API
Published
2025-04-15
Title
JetMenu < 2.4.9.1 - Missing Authorization
Published
2024-06-12
Title
Himer - Social Questions and Answers < 2.1.1 - Subscriber+ Private Group Joining via IDOR
Published
2025-03-04
Title
Zass - WooCommerce Theme for Handmade Artists and Artisans <= 3.9.9.10 - Missing Authorization to Authenticated (Subscriber+) Demo Import