Skip to main content

Block Country CVE-2025-48077

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 24, 2026 - 01:05 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
8.8 (HIGH) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
HIGH 8.8

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in nitinmaurya12 Block Country block-country allows Stored XSS.This issue affects Block Country: from n/a through <= 1.0.

AnalysisAI

Cross-site request forgery (CSRF) in Block Country WordPress plugin versions up to 1.0 enables attackers to trick authenticated administrators into executing malicious requests that inject stored XSS payloads. This chained vulnerability allows unauthenticated remote attackers to achieve persistent code execution in victim browsers by combining CSRF with stored cross-site scripting, requiring only that an admin interact with a crafted link or page. EPSS probability is minimal (0.02%, 4th percentile) with no active exploitation identified, but the attack chain is straightforward given user interaction occurs.

Technical ContextAI

This vulnerability exploits missing CSRF token validation in the Block Country WordPress plugin's administrative functions, classified as CWE-352 (Cross-Site Request Forgery). The plugin appears to handle country-based access control features, likely maintaining settings or block lists through administrative interfaces. The absence of nonce verification allows attackers to forge requests that modify plugin settings or data on behalf of authenticated administrators. When combined with inadequate input sanitization (enabling the stored XSS component), the CSRF vector becomes a delivery mechanism for persistent malicious JavaScript. The WordPress plugin ecosystem commonly suffers from CSRF vulnerabilities when developers fail to implement wp_nonce_field() and check_admin_referer() functions in form processing. The changed scope (S:C) in the CVSS vector indicates the stored XSS can affect resources beyond the vulnerable plugin's security context, potentially compromising the entire WordPress admin interface.

Affected ProductsAI

The vulnerability affects Block Country WordPress plugin developed by nitinmaurya12, impacting all versions from initial release through version 1.0 and earlier. The plugin is distributed through the WordPress plugin repository and provides country-based access blocking functionality for WordPress sites. No CPE identifier was provided in the available data, but the plugin can be identified by its slug 'block-country' in WordPress installations. Vendor advisory and technical details are available through Patchstack's vulnerability database at the referenced URL.

RemediationAI

Upgrade Block Country plugin to version 1.0.1 or later if available, or remove the plugin entirely if country blocking functionality is not required for operations. As of this analysis, the Patchstack database reference does not confirm a specific patched version number - site administrators should check the WordPress plugin repository for updates released after version 1.0. If immediate upgrade or removal is not feasible, implement compensating controls: restrict WordPress admin panel access to trusted IP addresses or VPN-only connections to limit CSRF attack surface, enable two-factor authentication for all administrator accounts to add defense depth against session hijacking, and review plugin settings for any unauthorized modifications that may indicate prior exploitation. Consider replacing Block Country with actively maintained country-blocking solutions that have established security track records. Note that disabling the plugin without removing it may not fully mitigate risk if vulnerable code remains accessible. These workarounds reduce but do not eliminate risk, as determined attackers with admin interaction could still potentially exploit the CSRF vector. Consult Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/block-country/ for the latest remediation guidance and confirmed fix version.

Share

CVE-2025-48077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy