Description
Cross-Site Request Forgery (CSRF) vulnerability in nitinmaurya12 Block Country block-country allows Stored XSS.This issue affects Block Country: from n/a through <= 1.0.
Published: 2025-11-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery that permits an attacker to inject malicious scripts, resulting in stored cross‑site scripting. The flaw allows request forging because the Block Country plugin lacks CSRF protection, enabling an attacker to submit a crafted request that stores user‑supplied content in the database, which will then be rendered on any page that displays the block. The resulting stored XSS can steal user credentials, inject malware, or deface the site.

Affected Systems

Affected systems are WordPress installations that include the nitinmaurya12 Block Country plugin version 1.0 or earlier. The plugin is available from WordPress.org and is commonly used to restrict content by country. No other vendors or product versions are listed.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact potential. The EPSS score of less than 1% shows a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely network‑based and relies on a logged‑in user performing a forged request; an attacker does not need elevated host privileges but requires an authenticated session to make the request, after which the stored script can execute in any visitor's browser.

Generated by OpenCVE AI on April 30, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Block Country plugin to the latest version (>=1.1) or remove it if no fix is available.
  • Limit the country‑block configuration interface to administrators, or disable country‑blocking functionality if it is not required for the site.
  • Review the plugin’s input handling to ensure that any user‑supplied data is properly escaped before rendering, and consider switching to a trusted alternative if the source code is not maintained.

Generated by OpenCVE AI on April 30, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 10 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in nitinmaurya12 Block Country block-country allows Stored XSS.This issue affects Block Country: from n/a through <= 1.0.
Title WordPress Block Country plugin <= 1.0 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:50.225Z

Reserved: 2025-05-15T17:53:58.198Z

Link: CVE-2025-48077

cve-icon Vulnrichment

Updated: 2025-11-10T19:39:38.124Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:15:51.513

Modified: 2026-04-27T20:16:05.530

Link: CVE-2025-48077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:30:06Z

Weaknesses