Описание
The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
Ссылки
- PatchThird Party Advisory
- ExploitThird Party Advisory
- PatchThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.26.5 (исключая)
cpe:2.3:a:ip2location:country_blocker:*:*:*:*:*:wordpress:*:*
EPSS
Процентиль: 36%
0.00148
Низкий
7.1 High
CVSS3
5.5 Medium
CVSS2
Дефекты
CWE-352
CWE-352
Связанные уязвимости
CVSS3: 7.1
github
почти 4 года назад
The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
EPSS
Процентиль: 36%
0.00148
Низкий
7.1 High
CVSS3
5.5 Medium
CVSS2
Дефекты
CWE-352
CWE-352