Home

Description

The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for unauthenticated attackers to bypass the geolocation blocking mechanism by appending the key to any URL on sites where the administrator has not changed the default value.

PUBLISHED Reserved 2026-01-30 | Published 2026-02-07 | Updated 2026-02-11 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-1188 Initialization of a Resource with an Insecure Default

Product status

Default status
unaffected

* (semver)
affected

Timeline

2026-02-06:Disclosed

Credits

Hector Flores finder

References

www.wordfence.com/...-83f9-41f9-9bc5-1f533bc4cb94?source=cve

plugins.trac.wordpress.org/.../advanced-country-blocking.php

plugins.trac.wordpress.org/.../advanced-country-blocking.php

plugins.trac.wordpress.org/.../advanced-country-blocking.php

cve.org (CVE-2026-1675)

nvd.nist.gov (CVE-2026-1675)

Download JSON