Vulnerability Name: IP2Location Country Blocker < 2.26.5 - Subscriber+ Arbitrary Country Ban Description: The plugin lacks authorization and CSRF checks in the AJAX action. This flaw allows any authenticated user with subscriber privileges to block countries arbitrarily, which can lead to preventing access to the frontend. Although v2.26.5 introduced authorization, the CSRF check was not added and a separate issue was created. Proof of Concept: A code snippet is provided showing how a subscriber can ban visitors from all countries. Affected Plugin: ip2location-country-blocker. The vulnerability was fixed in version 2.26.5. References: Includes a CVE reference (CVE-2021-25095) and a URL link to the plugin's changeset on the WordPress.org Trac. Vulnerability Classification: - Type: Access Controls - OWASP Top 10: A5: Broken Access Control - CWE: CWE-284 (Improper Access Control) - CVSS: 6.5 (medium) Miscellaneous: - Researcher and submitter details. - A verification status indicating the vulnerability has been authenticated. - A WPVDB ID associated with the vulnerability (cbfa7211-ac1f-4cf2-bd79-ebce2fc4baa1). Timeline: - Public disclosure and addition to the database took place on January 6, 2022. - The information was last updated on April 8, 2022. Other Related Vulnerabilities: Includes a list of additional flaws discovered in various WordPress plugins and themes in different years, indicating a focus on access control issues.