Vulnerability Description
The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ip2Location | Country Blocker | < 2.26.5 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2652469PatchThird Party Advisory
- https://wpscan.com/vulnerability/cbfa7211-ac1f-4cf2-bd79-ebce2fc4baa1ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2652469PatchThird Party Advisory
- https://wpscan.com/vulnerability/cbfa7211-ac1f-4cf2-bd79-ebce2fc4baa1ExploitThird Party Advisory
FAQ
What is CVE-2021-25095?
CVE-2021-25095 is a vulnerability with a CVSS score of 7.1 (HIGH). The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, ...
How severe is CVE-2021-25095?
CVE-2021-25095 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-25095?
Check the references section above for vendor advisories and patch information. Affected products include: Ip2Location Country Blocker.