Headline
CVE-2021-25095: Changeset 2652469 – WordPress Plugin Repository
The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
ip2location-country-blocker/trunk/ip2location-country-blocker.php
r2644207
r2652469
4
4
* Plugin URI: https://ip2location.com/resources/wordpress-ip2location-country-blocker
5
5
* Description: Block visitors from accessing your website or admin area by their country.
6
* Version: 2.26.4
6
* Version: 2.26.5
7
7
* Author: IP2Location
8
8
* Author URI: https://www.ip2location.com.
…
…
1635
1635
}
1636
1636
1637
// Ignore static files
1638
if (preg\_match('/\\.(7z|apk|avi|avif|bin|bmp|bz2|class|css|csv|dmg|doc|docx|ejs|eot|eps|exe|flac|gif|gz|ico|iso|jar|jpeg|jpg|js|mid|midi|mkv|mp3|mp4|ogg|otf|pdf|pict|pls|png|ppt|pptx|ps|rar|svg|svgz|swf|tar|tif|tiff|ttf|webm|webp|woff|woff2|xls|xlsx|zip|zst)$/i', $\_SERVER\['REQUEST\_URI'\])) {
1639
return;
1640
}
1641
1642
// Ignore internal XHR calls
1643
if (preg\_match('/wp-json|admin-ajax|wc-ajax|jm-ajax|doing\_wp\_cron/', $\_SERVER\['REQUEST\_URI'\])) {
1644
return;
1637
// Ignore internal XHR & cron
1638
if (isset($\_SERVER\['SCRIPT\_NAME'\])) {
1639
if (in\_array(basename($\_SERVER\['SCRIPT\_NAME'\]), \['admin-ajax.php', 'ajax.php', 'cron.php', 'wp-cron.php'\])) {
1640
return;
1641
}
1645
1642
}
1646
1643
…
…
1893
1890
header('Content-Type: application/json');
1894
1891
1892
if (!current\_user\_can('administrator')) {
1893
die(json\_encode(\[
1894
'status' => 'ERROR',
1895
'message' => \_\_('Permission denied.', 'ip2location-country-blocker'),
1896
\]));
1897
}
1898
1895
1899
require\_once ABSPATH . 'wp-admin/includes/file.php';
1896
1900
WP\_Filesystem();
…
…
2046
2050
header('Content-Type: application/json');
2047
2051
2052
if (!current\_user\_can('administrator')) {
2053
die(json\_encode(\[
2054
'status' => 'ERROR',
2055
'message' => \_\_('Permission denied.', 'ip2location-country-blocker'),
2056
\]));
2057
}
2058
2048
2059
require\_once ABSPATH . 'wp-admin/includes/file.php';
2049
2060
WP\_Filesystem();
…
…
2195
2206
header('Content-Type: application/json');
2196
2207
2208
if (!current\_user\_can('administrator')) {
2209
die(json\_encode(\[
2210
'status' => 'ERROR',
2211
'message' => \_\_('Permission denied.', 'ip2location-country-blocker'),
2212
\]));
2213
}
2214
2197
2215
try {
2198
2216
$token = (isset($\_POST\['token'\])) ? $\_POST\['token'\] : '';
…
…
2246
2264
public function save\_rules()
2247
2265
{
2266
if (!current\_user\_can('administrator')) {
2267
wp\_die(\_\_('Permission denied.', 'ip2location-country-blocker'));
2268
}
2269
2248
2270
$mode = (isset($\_POST\['mode'\])) ? $\_POST\['mode'\] : '';
2249
2271
$countries = (isset($\_POST\['countries'\])) ? $\_POST\['countries'\] : '';
ip2location-country-blocker/trunk/readme.txt
r2644207
r2652469
6
6
Requires at least: 2.0
7
7
Tested up to: 5.8
8
Stable tag: 2.26.4
8
Stable tag: 2.26.5
9
9
10
10
Blocks unwanted visitors from accessing your frontend (blog pages) or backend (admin area) by countries or proxy servers.
…
…
89
89
90
90
== Changelog ==
91
* 2.26.5 Fixed security issues with CSRF.
91
92
* 2.26.4 Removed missing Javascript.
92
93
* 2.26.3 Updated default blocking template.