The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for unauthenticated attackers to bypass the geolocation blocking mechanism by appending the key to any URL on sites where the administrator has not changed the default value.
PUBLISHED5.2CWE-1188
Advanced Country Blocker <= 2.3.1 - Unauthenticated Authorization Bypass via Insecure Default Secret Key
Problem type
Affected products
brstefanovic
Advanced Country Blocker
<= 2.3.1 - AFFECTED
References
wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/30747988-83f9-41f9-9bc5-1f533bc4cb94?source=cve
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L278
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L336
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L420
GitHub Security Advisories
GHSA-73p7-57gm-896g
The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all...
https://github.com/advisories/GHSA-73p7-57gm-896gThe Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for unauthenticated attackers to bypass the geolocation blocking mechanism by appending the key to any URL on sites where the administrator has not changed the default value.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-1675
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L278
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L336
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L420
wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/30747988-83f9-41f9-9bc5-1f533bc4cb94?source=cve
github.com
https://github.com/advisories/GHSA-73p7-57gm-896g
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-1675Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-1675",
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"dateUpdated": "2026-02-07T08:26:37.529Z",
"dateReserved": "2026-01-30T01:48:15.248Z",
"datePublished": "2026-02-07T08:26:37.529Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence",
"dateUpdated": "2026-02-07T08:26:37.529Z"
},
"title": "Advanced Country Blocker <= 2.3.1 - Unauthenticated Authorization Bypass via Insecure Default Secret Key",
"descriptions": [
{
"lang": "en",
"value": "The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for unauthenticated attackers to bypass the geolocation blocking mechanism by appending the key to any URL on sites where the administrator has not changed the default value."
}
],
"affected": [
{
"vendor": "brstefanovic",
"product": "Advanced Country Blocker",
"defaultStatus": "unaffected",
"versions": [
{
"version": "*",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "2.3.1"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-1188 Initialization of a Resource with an Insecure Default",
"cweId": "CWE-1188",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30747988-83f9-41f9-9bc5-1f533bc4cb94?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L278"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L336"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L420"
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"baseScore": 5.3,
"baseSeverity": "MEDIUM"
}
}
],
"timeline": [
{
"time": "2026-02-06T20:24:09.000+00:00",
"lang": "en",
"value": "Disclosed"
}
],
"credits": [
{
"lang": "en",
"value": "Hector Flores",
"type": "finder"
}
]
}
}
}