WordPress Plugin Vulnerabilities

IP2Location Country Blocker < 2.26.5 - Subscriber+ Arbitrary Country Ban

Description

The plugin does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

v2.26.5 added authorisation but not CSRF check, a separate issue has been created

Proof of Concept

Affects Plugins

Plugin icon
ip2location-country-blocker
Fixed in 2.26.5

References

CVE
CVE-2021-25095
URL
https://plugins.trac.wordpress.org/changeset/2652469

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
cbfa7211-ac1f-4cf2-bd79-ebce2fc4baa1

Timeline

Publicly Published
2022-01-06 (about 3 years ago)
Added
2022-01-06 (about 3 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2024-10-31
Title
Multiple Page Generator Plugin – MPG < 4.0.2 - Missing Authorization
Published
2024-02-28
Title
Download Manager < 3.2.85 - Unauthenticated File Download
Published
2021-07-12
Title
Frontend File Manager < 18.3 - Unauthenticated Post Meta Change to Arbitrary File Download
Published
2024-02-16
Title
Paid Memberships Pro < 2.12.9 - Contributor+ Arbitrary User Custom Field Disclosure
Published
2024-05-01
Title
Contact Form by WPForms – Drag & Drop Form Builder for WordPress < 1.8.8.2 - Unauthenticated Price Manipulation