Description
WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend Settings interface. Attackers can inject malicious scripts in the URL field of the Display page settings that execute when administrators or other authenticated users visit the plugin settings page.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an authenticated user to inject arbitrary JavaScript via the URL field in the Frontend Settings of the IP2Location Country Blocker plugin. Upon visiting the plugin settings page, the malicious script runs with the privileges of the logged‑in user, potentially enabling session hijacking, credential theft, or defacement. The weakness is a classic stored XSS flaw classified as CWE‑79.

Affected Systems

The issue affects WordPress sites running IP2Location Country Blocker version 2.26.7. Only this specific version is confirmed to be vulnerable; other versions of any IP2Location products are not known to be impacted.

Risk and Exploitability

With a CVSS score of 5.1 the vulnerability is moderate. Exploitation requires only that the attacker has authenticated access and can edit the plugin settings, so a user with any role that can access this interface can abuse it. EPSS data is not available and the flaw is not listed in CISA KEV. Because the script executes in the context of a visiting administrator, the risk to site ownership or to end users is significant for any compromised plugin account.

Generated by OpenCVE AI on May 10, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the IP2Location Country Blocker plugin to the latest version that removes the unescaped URL input field.
  • Delete or escape any malicious script that may have already been stored in the URL field of the Display page settings.
  • Restrict access to the plugin’s settings interface so that only administrators can edit the URL field, and consider implementing a content security policy that blocks inline scripts.

Generated by OpenCVE AI on May 10, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend Settings interface. Attackers can inject malicious scripts in the URL field of the Display page settings that execute when administrators or other authenticated users visit the plugin settings page.
Title WordPress Plugin IP2Location Country Blocker 2.26.7 Stored XSS
First Time appeared Ip2location
Ip2location country Blocker
Weaknesses CWE-79
CPEs cpe:2.3:a:ip2location:country_blocker:2.26.7:*:*:*:*:*:*:*
Vendors & Products Ip2location
Ip2location country Blocker
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ip2location Country Blocker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:12:55.027Z

Reserved: 2026-01-11T13:34:26.333Z

Link: CVE-2022-50961

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:33.827

Modified: 2026-05-10T13:16:33.827

Link: CVE-2022-50961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T13:30:12Z

Weaknesses