Fense Proxy Vpn Blocker
Monthly
Unauthenticated settings reset in the Fense Proxy & VPN Blocker WordPress plugin (versions up to and including 3.0.1) allows any remote attacker to wipe the plugin's API key cache and configuration by invoking an unprotected AJAX endpoint. The fense_bpvt_save_settings() function is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks without any capability check or nonce validation, meaning it is reachable without authentication and calls delete_option() and delete_transient() unconditionally on plugin-critical data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack is trivial to execute and carries a meaningful functional consequence: disabling the site's VPN and proxy detection capability.
Unauthenticated settings reset in the Fense Proxy & VPN Blocker WordPress plugin (versions up to and including 3.0.1) allows any remote attacker to wipe the plugin's API key cache and configuration by invoking an unprotected AJAX endpoint. The fense_bpvt_save_settings() function is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks without any capability check or nonce validation, meaning it is reachable without authentication and calls delete_option() and delete_transient() unconditionally on plugin-critical data. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack is trivial to execute and carries a meaningful functional consequence: disabling the site's VPN and proxy detection capability.