CVE-2025-13694
AA Block country <= 1.0.1 - Unauthenticated IP Address Spoofing via X-Forwarded-For Header
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the server is behind a trusted proxy. This makes it possible for unauthenticated attackers to bypass IP-based access restrictions by spoofing their IP address via the X-Forwarded-For header.
| CWE | CWE-348 |
| Vendor | aaextensions |
| Product | aa block country |
| Published | Jan 7, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for aaextensions aa block country
Be the first to know when new medium vulnerabilities affecting aaextensions aa block country are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
aaextensions / AA Block country
0 โค 1.0.1
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/037ac32a-dc2e-4e9f-9318-65dfee1c80e9?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/aa-block-country/trunk/aablockcountry.php#L26 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/aa-block-country/tags/1.0.1/aablockcountry.php#L26
Credits
Ivan Cese