Skip to main content

HTACCESS IP Blocker CVE-2025-60170

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-09-26 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 24, 2026 - 01:19 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 19:14 vuln.today
CVE Published
Sep 26, 2025 - 09:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Taraprasad Swain HTACCESS IP Blocker allows Stored XSS. This issue affects HTACCESS IP Blocker: from n/a through 1.0.

AnalysisAI

CSRF vulnerability in HTACCESS IP Blocker WordPress plugin enables stored XSS attacks against site administrators. Attackers can trick authenticated WordPress administrators into executing malicious actions that inject persistent JavaScript payloads through unprotected plugin endpoints. Affects all versions through 1.0. EPSS score of 0.01% (3rd percentile) suggests minimal observed exploitation attempts, though the attack requires only user interaction (UI:R) with no authentication barrier for the attacker. No active exploitation confirmed via CISA KEV at time of analysis.

Technical ContextAI

This is a WordPress plugin vulnerability combining CWE-352 (CSRF) as the attack vector to enable stored cross-site scripting. The HTACCESS IP Blocker plugin, designed to manage IP blocking rules in .htaccess files, lacks CSRF tokens (nonces) on administrative actions. This missing CSRF protection allows attackers to forge requests that appear to originate from legitimate administrators. When combined with insufficient input validation and output encoding, the CSRF weakness enables injection of persistent malicious scripts into the plugin's data storage, which then execute in the context of other administrator sessions. The Changed scope (S:C) in CVSS vector indicates the vulnerability affects resources beyond the vulnerable component itself, typical of XSS that can pivot to broader WordPress administrative functions.

Affected ProductsAI

WordPress HTACCESS IP Blocker plugin developed by Taraprasad Swain, all versions through 1.0. The vulnerability report from Patchstack (audit@patchstack.com) indicates version 1.0 as the last confirmed affected version, with no lower version boundary specified ('from n/a') suggesting all historical releases are vulnerable. The plugin is distributed through the WordPress plugin repository. Full technical details and proof-of-concept information available at https://patchstack.com/database/wordpress/plugin/htaccess-ip-blocker/vulnerability/wordpress-htaccess-ip-blocker-plugin-1-0-cross-site-request-forgery-csrf-vulnerability.

RemediationAI

No vendor-released patch or updated version identified at time of analysis. The Patchstack advisory does not reference a fixed version beyond 1.0, and no GitHub repository or official vendor advisory was provided in available references. Recommended immediate action: Disable and remove HTACCESS IP Blocker plugin until a patched version is released. Alternative compensating controls: (1) Implement IP blocking rules directly in server .htaccess files or through web application firewall (WAF) rather than WordPress plugin, eliminating the vulnerable component entirely. (2) If the plugin must remain active, restrict WordPress admin panel access to known trusted IP addresses via server-level ACLs, reducing CSRF attack surface by limiting who can receive forged requests - however this does not prevent attacks from compromised administrator workstations on trusted networks. (3) Deploy web application firewall with virtual patching capability to detect and block CSRF attempts lacking valid nonces on plugin endpoints - requires ongoing signature maintenance and may cause false positives on legitimate admin actions. Monitor Patchstack advisory at https://patchstack.com/database/wordpress/plugin/htaccess-ip-blocker for patch release announcements.

Share

CVE-2025-60170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy