Country Blocker for AdSense establishes a mechanism to block certain geographies from accessing AdSense content. A flaw exists in versions up to 1.0 because the function that writes the new country rules does not enforce a nonce, allowing a crafted request to change settings without authentication. If an attacker can persuade an administrator to click a malicious link or otherwise submit a request, the plugin’s configuration could be altered to permit or deny traffic arbitrarily, undermining the site’s revenue and compliance controls.

This issue affects the WordPress plugin Country Blocker for AdSense supplied by soyrodriguez, in all versions at or before 1.0. Sites running this plugin without a protective nonce check are susceptible. No explicit sub‑version range is given, so any installation of 1.0 or earlier is considered vulnerable.

With a CVSS score of 4.3 the flaw is considered medium severity. The EPSS score is reported as less than 1 %, indicating a very low probability of exploitation under current conditions, and the vulnerability is not listed in CISA’s KEV catalog. Despite that, the attack vector is straightforward CSRF against an unauthenticated user, making it exploitible with minimal effort if an admin is tricked into visiting a particular URL. Consequently, the risk is moderate but non‑negligible for administrators that rely on default trust in logged‑in users.