CVE-2021-25095 – The IP2Location Country Blocker WordPress plugi... (How to Fix)

Q: What is the severity of CVE-2021-25095?

CVE-2021-25095 has a CVSS score of 7.1 (HIGH). The IP2Location Country Blocker WordPress plugin before version 2.26.5 lacks proper authorization and CSRF protection in its AJAX endpoint, allowing any authenticated user (even with subscriber privileges) to modify country blocking rules. This could be exploited to block legitimate users from accessing the website or disrupt service by blocking all countries at once.

📋 TL;DR

The IP2Location Country Blocker WordPress plugin before version 2.26.5 lacks proper authorization and CSRF protection in its AJAX endpoint, allowing any authenticated user (even with subscriber privileges) to modify country blocking rules. This could be exploited to block legitimate users from accessing the website or disrupt service by blocking all countries at once.

💻 Affected Systems

Products:

IP2Location Country Blocker WordPress Plugin

Versions: All versions before 2.26.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled and at least one authenticated user account.

📦 What is this software?

Country Blocker by Ip2location

View all CVEs affecting Country Blocker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with subscriber access could block all countries, completely preventing legitimate users from accessing the website frontend, causing service disruption and potential business impact.

🟠

Likely Case

Malicious authenticated users could selectively block countries to disrupt service for specific regions or user groups, potentially affecting business operations and user experience.

🟢

If Mitigated

With proper access controls and CSRF protection, only authorized administrators could modify country blocking rules, preventing unauthorized changes.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward via AJAX requests. No public exploit code is known, but the vulnerability is simple to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.26.5

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2652469

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'IP2Location Country Blocker'. 4. Click 'Update Now' if available, or download version 2.26.5+ from WordPress repository. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Temporarily disable the vulnerable ip2location_country_blocker_save_rules AJAX action by removing or modifying the plugin code.

Edit wp-content/plugins/ip2location-country-blocker/ip2location-country-blocker.php and comment out or remove the add_action() call for the vulnerable AJAX endpoint

Restrict user registration

all

Prevent new user registrations to limit potential attackers from obtaining authenticated access.

In WordPress admin: Settings > General > Membership: Uncheck 'Anyone can register'

🧯 If You Can't Patch

Disable the IP2Location Country Blocker plugin entirely until patched
Implement network-level country blocking via firewall or CDN instead of plugin

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for IP2Location Country Blocker version. If version is below 2.26.5, the system is vulnerable.

Check Version:

wp plugin list --name='IP2Location Country Blocker' --field=version

Verify Fix Applied:

Confirm plugin version is 2.26.5 or higher in WordPress admin panel. Test that only administrators can modify country blocking rules.

📡 Detection & Monitoring

Log Indicators:

Multiple AJAX requests to /wp-admin/admin-ajax.php with action=ip2location_country_blocker_save_rules from non-admin users
Sudden changes to country blocking configuration without administrator action

Network Indicators:

POST requests to admin-ajax.php with country blocking parameters from unexpected user roles

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "ip2location_country_blocker_save_rules" AND NOT user_role="administrator"

📊 Metadata

CVE ID: CVE-2021-25095

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-352

Published: February 7, 2022

Last Updated: November 21, 2024

🔗 References

https://plugins.trac.wordpress.org/changeset/2652469 Patch,Third Party Advisory
https://wpscan.com/vulnerability/cbfa7211-ac1f-4cf2-bd79-ebce2fc4baa1 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2652469 Patch,Third Party Advisory
https://wpscan.com/vulnerability/cbfa7211-ac1f-4cf2-bd79-ebce2fc4baa1 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25095, you might also want to check these: