CVE-2021-25108 – This vulnerability in the IP2Location Country B... (How to Fix)

Q: What is the severity of CVE-2021-25108?

CVE-2021-25108 has a CVSS score of 7.1 (HIGH). This vulnerability in the IP2Location Country Blocker WordPress plugin allows attackers to trick logged-in administrators into blocking arbitrary countries or all countries at once via CSRF attacks. This prevents legitimate users from accessing the website frontend. Only WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This vulnerability in the IP2Location Country Blocker WordPress plugin allows attackers to trick logged-in administrators into blocking arbitrary countries or all countries at once via CSRF attacks. This prevents legitimate users from accessing the website frontend. Only WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

IP2Location Country Blocker WordPress Plugin

Versions: All versions before 2.26.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled and an admin user logged in.

📦 What is this software?

Country Blocker by Ip2location

View all CVEs affecting Country Blocker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could block all countries, completely denying access to legitimate users worldwide, effectively taking the website offline for all visitors.

🟠

Likely Case

Attackers block specific countries to disrupt business operations in targeted regions or block the site owner's own country to cause confusion and service disruption.

🟢

If Mitigated

With proper CSRF protections and admin awareness, exploitation attempts fail, maintaining normal site functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking a logged-in admin to click a malicious link or visit a crafted page. No authentication bypass needed beyond admin session.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.26.6

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2653459

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'IP2Location Country Blocker'. 4. Click 'Update Now' if available, or download version 2.26.6+ from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate ip2location-country-blocker

Add CSRF Protection Manually

all

Add nonce verification to the vulnerable AJAX action in plugin code

Edit wp-content/plugins/ip2location-country-blocker/includes/class-ip2location-country-blocker-ajax.php and add wp_verify_nonce() check before ip2location_country_blocker_save_rules function execution

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block CSRF attacks targeting the vulnerable AJAX endpoint
Educate administrators about phishing risks and implement strict access controls for admin accounts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for IP2Location Country Blocker version. If version is below 2.26.6, system is vulnerable.

Check Version:

wp plugin get ip2location-country-blocker --field=version

Verify Fix Applied:

Verify plugin version is 2.26.6 or higher in WordPress admin panel. Test country blocking functionality to ensure it works with proper CSRF protection.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin-ajax.php with action=ip2location_country_blocker_save_rules from unexpected sources
Sudden changes to country blocking rules in plugin logs without corresponding admin activity

Network Indicators:

CSRF attack patterns with Referer header mismatches targeting the vulnerable AJAX endpoint

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "ip2location_country_blocker_save_rules" AND NOT user="admin_username"

📊 Metadata

CVE ID: CVE-2021-25108

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CWE: CWE-352

Published: February 7, 2022

Last Updated: November 21, 2024

🔗 References

https://plugins.trac.wordpress.org/changeset/2653459 Patch,Third Party Advisory
https://wpscan.com/vulnerability/9d416ca3-bd02-4fcf-b3b8-f2f2280d02d2 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2653459 Patch,Third Party Advisory
https://wpscan.com/vulnerability/9d416ca3-bd02-4fcf-b3b8-f2f2280d02d2 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25108, you might also want to check these: