exploitDog

CVE-2021-25108

Опубликовано: 07 фев. 2022

Источник: nvd

CVSS3: 7.1

CVSS2: 5.8

EPSS Низкий

Описание

The IP2Location Country Blocker WordPress plugin before 2.26.6 does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

Ссылки

https://plugins.trac.wordpress.org/changeset/2653459
Patch
Third Party Advisory
https://wpscan.com/vulnerability/9d416ca3-bd02-4fcf-b3b8-f2f2280d02d2
Exploit
Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2653459
Patch
Third Party Advisory
https://wpscan.com/vulnerability/9d416ca3-bd02-4fcf-b3b8-f2f2280d02d2
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ip2location:country_blocker:*:*:*:*:*:wordpress:*:*

Версия до 2.26.6 (исключая)

EPSS

Процентиль: 26%

0.00089

Низкий

7.1 High

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-352

CWE-352

Связанные уязвимости

GHSA-r5r8-g427-8mp7

github

почти 4 года назад

The IP2Location Country Blocker WordPress plugin before 2.26.6 does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

EPSS

Процентиль: 26%

0.00089

Низкий

7.1 High

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-352

CWE-352