CVE-2025-1361
📋 TL;DR
The IP2Location Country Blocker WordPress plugin exposes sensitive configuration settings to unauthenticated users due to missing capability checks. This allows attackers to view plugin settings without authentication. All WordPress sites using this plugin up to version 2.38.8 are affected.
💻 Affected Systems
- IP2Location Country Blocker WordPress Plugin
📦 What is this software?
Country Blocker by Ip2location
⚠️ Risk & Real-World Impact
Worst Case
Attackers could learn country blocking rules, IP ranges, and security configurations, enabling them to bypass geographic restrictions or plan targeted attacks.
Likely Case
Unauthenticated users can view plugin settings including blocked countries, whitelisted IPs, and security configurations.
If Mitigated
With proper access controls, only authenticated administrators can view plugin settings.
🎯 Exploit Status
Exploitation requires sending HTTP requests to specific admin endpoints without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.38.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3244193/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'IP2Location Country Blocker'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.38.9+ from WordPress.org and replace the plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
WordPressTemporarily disable the IP2Location Country Blocker plugin until patched
wp plugin deactivate ip2location-country-blocker
Restrict admin endpoint access
allUse web application firewall or .htaccess to block unauthenticated access to /wp-admin/admin.php endpoints
🧯 If You Can't Patch
- Disable the IP2Location Country Blocker plugin completely
- Implement network-level restrictions to block access to WordPress admin endpoints from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for IP2Location Country Blocker version. If version is 2.38.8 or lower, you are vulnerable.Check Version:
wp plugin get ip2location-country-blocker --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 2.38.9 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests to /wp-admin/admin.php?page=ip2location-country-blocker from unauthenticated IPs
- Multiple failed authentication attempts followed by admin endpoint access
Network Indicators:
- HTTP requests to admin endpoints without authentication cookies or tokens
- Traffic patterns showing information gathering from admin interfaces
SIEM Query:
source="wordpress.log" AND (uri="/wp-admin/admin.php" AND parameters CONTAINS "ip2location-country-blocker") AND NOT (user_agent CONTAINS "WordPress" OR cookie CONTAINS "wordpress_logged_in")🔗 References
- https://plugins.trac.wordpress.org/browser/ip2location-country-blocker/trunk/ip2location-country-blocker.php#L114
- https://plugins.trac.wordpress.org/changeset/3244193/
- https://wordpress.org/plugins/ip2location-country-blocker/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b63bc2b6-1abc-4cfa-a7e5-3995640f66a7?source=cve
