HTACCESS IP Blocker CVE-2025-60170
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Taraprasad Swain HTACCESS IP Blocker allows Stored XSS. This issue affects HTACCESS IP Blocker: from n/a through 1.0.
AnalysisAI
CSRF vulnerability in HTACCESS IP Blocker WordPress plugin enables stored XSS attacks against site administrators. Attackers can trick authenticated WordPress administrators into executing malicious actions that inject persistent JavaScript payloads through unprotected plugin endpoints. Affects all versions through 1.0. EPSS score of 0.01% (3rd percentile) suggests minimal observed exploitation attempts, though the attack requires only user interaction (UI:R) with no authentication barrier for the attacker. No active exploitation confirmed via CISA KEV at time of analysis.
Technical ContextAI
This is a WordPress plugin vulnerability combining CWE-352 (CSRF) as the attack vector to enable stored cross-site scripting. The HTACCESS IP Blocker plugin, designed to manage IP blocking rules in .htaccess files, lacks CSRF tokens (nonces) on administrative actions. This missing CSRF protection allows attackers to forge requests that appear to originate from legitimate administrators. When combined with insufficient input validation and output encoding, the CSRF weakness enables injection of persistent malicious scripts into the plugin's data storage, which then execute in the context of other administrator sessions. The Changed scope (S:C) in CVSS vector indicates the vulnerability affects resources beyond the vulnerable component itself, typical of XSS that can pivot to broader WordPress administrative functions.
Affected ProductsAI
WordPress HTACCESS IP Blocker plugin developed by Taraprasad Swain, all versions through 1.0. The vulnerability report from Patchstack (audit@patchstack.com) indicates version 1.0 as the last confirmed affected version, with no lower version boundary specified ('from n/a') suggesting all historical releases are vulnerable. The plugin is distributed through the WordPress plugin repository. Full technical details and proof-of-concept information available at https://patchstack.com/database/wordpress/plugin/htaccess-ip-blocker/vulnerability/wordpress-htaccess-ip-blocker-plugin-1-0-cross-site-request-forgery-csrf-vulnerability.
RemediationAI
No vendor-released patch or updated version identified at time of analysis. The Patchstack advisory does not reference a fixed version beyond 1.0, and no GitHub repository or official vendor advisory was provided in available references. Recommended immediate action: Disable and remove HTACCESS IP Blocker plugin until a patched version is released. Alternative compensating controls: (1) Implement IP blocking rules directly in server .htaccess files or through web application firewall (WAF) rather than WordPress plugin, eliminating the vulnerable component entirely. (2) If the plugin must remain active, restrict WordPress admin panel access to known trusted IP addresses via server-level ACLs, reducing CSRF attack surface by limiting who can receive forged requests - however this does not prevent attacks from compromised administrator workstations on trusted networks. (3) Deploy web application firewall with virtual patching capability to detect and block CSRF attempts lacking valid nonces on plugin endpoints - requires ongoing signature maintenance and may cause false positives on legitimate admin actions. Monitor Patchstack advisory at https://patchstack.com/database/wordpress/plugin/htaccess-ip-blocker for patch release announcements.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today