CVE-2021-25095
Last modified
CVE-2021-25095 is a high-severity vulnerability rated 7.1/10 on the CVSS scale. The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.. EPSS estimates a 0.53% chance of exploitation in the next 30 days.
Description
The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Ip2location | Country Blocker | < 2.26.5 |
References
- https://plugins.trac.wordpress.org/changeset/2652469Patch, Third Party Advisory
- https://wpscan.com/vulnerability/cbfa7211-ac1f-4cf2-bd79-ebce2fc4baa1Exploit, Third Party Advisory
- https://plugins.trac.wordpress.org/changeset/2652469Patch, Third Party Advisory
- https://wpscan.com/vulnerability/cbfa7211-ac1f-4cf2-bd79-ebce2fc4baa1Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-25095?
How severe is CVE-2021-25095?
How do I fix CVE-2021-25095?
Are you affected by CVE-2021-25095?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST