Description
The IP2Location Redirection plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'download_ip2location_redirection_backup' AJAX action in all versions up to, and including, 1.33.3. This makes it possible for unauthenticated attackers to download the plugin's settings.
Published: 2025-03-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Access to plugin settings can be obtained by unauthenticated users
Action: Immediate Patch
AI Analysis

Impact

The plugin fails to verify user permissions for the AJAX action that provides a backup of all settings, allowing anyone who can reach the endpoint to retrieve confidential configuration data. The weakness is a classic missing authorization flaw as described by CWE‑862. The impact is the disclosure of sensitive configuration that could assist in further attacks against the WordPress site.

Affected Systems

WordPress sites that use the IP2Location Redirection plugin versions up to and including 1.33.3 are affected. The issue is present in all releases of the plugin through 1.33.3 and affects any instance where the plugin is installed, regardless of theme or other plugins.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% shows a low probability of exploitation today; the vulnerability is not yet listed in the CISA KEV catalog. Attackers can trigger the flaw by sending an unauthenticated HTTP request to the AJAX URL for download_ip2location_redirection_backup, which returns the full backup file. Because no authentication checks occur, the data is exposed without restrictions.

Generated by OpenCVE AI on April 21, 2026 at 22:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the IP2Location Redirection plugin to the latest version available that is newer than 1.33.3.
  • If an update cannot be applied immediately, block or remove the "download_ip2location_redirection_backup" AJAX action by adding a code snippet that declines requests without proper capability.
  • After remediation, review other AJAX handlers in the plugin to ensure no similar authorization gaps exist and monitor logs for attempts to access exported settings.

Generated by OpenCVE AI on April 21, 2026 at 22:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5888 The IP2Location Redirection plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'download_ip2location_redirection_backup' AJAX action in all versions up to, and including, 1.33.3. This makes it possible for unauthenticated attackers to download the plugin's settings.
History

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 01 Mar 2025 07:00:00 +0000

Type Values Removed Values Added
Description The IP2Location Redirection plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'download_ip2location_redirection_backup' AJAX action in all versions up to, and including, 1.33.3. This makes it possible for unauthenticated attackers to download the plugin's settings.
Title IP2Location Redirection <= 1.33.3 - Missing Authorization to Unauthenticated Settings Export
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:46.424Z

Reserved: 2025-02-20T18:22:24.762Z

Link: CVE-2025-1502

cve-icon Vulnrichment

Updated: 2025-03-03T20:54:53.404Z

cve-icon NVD

Status : Deferred

Published: 2025-03-01T07:15:11.183

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:15:45Z

Weaknesses