Description
The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the server is behind a trusted proxy. This makes it possible for unauthenticated attackers to bypass IP-based access restrictions by spoofing their IP address via the X-Forwarded-For header.
Published: 2026-01-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass via IP Spoofing
Action: Apply Patch
AI Analysis

Impact

The AA Block Country plugin for WordPress accepts the X-Forwarded-For header as a literal source of the client IP address without verifying that the request came through a trusted proxy. An unauthenticated attacker can inject an arbitrary value into this header, causing the plugin to believe the request originates from a whitelisted IP address and thereby bypass IP‑based access restrictions. This flaw falls under CWE‑348 and can lead to unauthorized access to restricted content or functionality on the site, creating a moderate level of security risk.

Affected Systems

Vulnerable systems are WordPress installations that have the aaextensions AA Block Country plugin installed on a version 1.0.1 or earlier. The plugin is responsible for blocking traffic from specific countries or IP ranges, so compromise of its IP determination logic directly undermines its filtering capability.

Risk and Exploitability

The CVSS score of 5.3 categorizes the risk as moderate while the EPSS score of less than 1% suggests the likelihood of automated exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via an HTTP request that supplies a forged X-Forwarded-For header; because no user authentication is required, any visitor can craft such a request and benefit from the privilege escalation.

Generated by OpenCVE AI on April 22, 2026 at 15:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AA Block Country plugin to a version newer than 1.0.1 so that header validation logic is corrected.
  • Configure the plugin or the web server to ignore the X-Forwarded-For header unless it originates from a trusted, internal proxy.
  • Implement firewall or application layer rules that strip or block unauthenticated X-Forwarded-For headers to prevent spoofing.
  • Regularly monitor access logs for repeated appearance of malicious IP addresses or unusually rapid changes in client IPs that may indicate spoofing attempts.

Generated by OpenCVE AI on April 22, 2026 at 15:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
Description The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the server is behind a trusted proxy. This makes it possible for unauthenticated attackers to bypass IP-based access restrictions by spoofing their IP address via the X-Forwarded-For header.
Title AA Block country <= 1.0.1 - Unauthenticated IP Address Spoofing via X-Forwarded-For Header
Weaknesses CWE-348
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:55.677Z

Reserved: 2025-11-25T21:02:52.883Z

Link: CVE-2025-13694

cve-icon Vulnrichment

Updated: 2026-01-07T16:12:04.446Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:49.700

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:00:12Z

Weaknesses