CVE-2025-1361

HIGH NUCLEI

Ip2location Country Blocker < 2.38.9 - Missing Authorization

Title source: rule

Description

The IP2Location Country Blocker plugin for WordPress is vulnerable to Regular Information Exposure in all versions up to, and including, 2.38.8 due to missing capability checks on the admin_init() function. This makes it possible for unauthenticated attackers to view the plugin's settings.

Nuclei Templates (1)

IP2Location Country Blocker < 2.38.9 - Unauthenticated Information Disclosure

HIGHVERIFIEDby pussycat0x

Shodan: http.html:"/wp-content/plugins/ip2location-country-blocker/"

FOFA: body="/wp-content/plugins/ip2location-country-blocker/"

References (4)

[Product] https://plugins.trac.wordpress.org/browser/ip2location-country-blocker/trunk/ip2location-country-blocker.php#L114

[Patch] https://plugins.trac.wordpress.org/changeset/3244193/

[Product] https://wordpress.org/plugins/ip2location-country-blocker/#developers

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/b63bc2b6-1abc-4cfa-a7e5-3995640f66a7?source=cve

Scores

CVSS v3 7.5

EPSS 0.0827

EPSS Percentile 92.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-862 CWE-285

Status published

Products (2)

ip2location/country_blocker < 2.38.9

ip2location/IP2Location Country Blocker < 2.38.8

Published Feb 22, 2025

Tracked Since Feb 18, 2026