CVE-2021-25095 Information

Description

The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action allowing any authenticated users such as subscriber to call it and block arbitrary country or block all of them at once preventing users from accessing the frontend.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Reference

https://plugins.trac.wordpress.org/changeset/2652469 https://wpscan.com/vulnerability/cbfa7211-ac1f-4cf2-bd79-ebce2fc4baa1

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

HIGH

Base Severity

7.1