{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13413", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-19T14:38:42.590Z", "datePublished": "2026-02-19T04:36:06.743Z", "dateUpdated": "2026-04-08T16:36:36.711Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:36.711Z"}, "affected": [{"vendor": "soyrodriguez", "product": "Country Blocker for AdSense", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Country Blocker for AdSense plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the CBFA_guardar_cbfa() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Country Blocker for AdSense <= 1.0 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/134130a9-4750-4a63-88a0-60d4285acb77?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/country-blocker-for-adsense/trunk/index.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/country-blocker-for-adsense/tags/1.0/index.php#L46"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "timeline": [{"time": "2026-02-18T15:38:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:04:00.352009Z", "id": "CVE-2025-13413", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:39:31.661Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13413", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:04:00.352009Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:04:02.404Z"}}], "cna": {"title": "Country Blocker for AdSense <= 1.0 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "soyrodriguez", "product": "Country Blocker for AdSense", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T15:38:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/134130a9-4750-4a63-88a0-60d4285acb77?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/country-blocker-for-adsense/trunk/index.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/country-blocker-for-adsense/tags/1.0/index.php#L46"}], "descriptions": [{"lang": "en", "value": "The Country Blocker for AdSense plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the CBFA_guardar_cbfa() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:36.711Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13413", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:36:36.711Z", "dateReserved": "2025-11-19T14:38:42.590Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:06.743Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Country Blocker for AdSense plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the CBFA_guardar_cbfa() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Country Blocker para AdSense para WordPress es vulnerable a falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 1.0, inclusive. Esto se debe a la falta de validaci\u00f3n de nonce en la funci\u00f3n CBFA_guardar_cbfa(). Esto hace posible que atacantes no autenticados actualicen la configuraci\u00f3n del plugin mediante una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-13413", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:30.517", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/country-blocker-for-adsense/tags/1.0/index.php#L46"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/country-blocker-for-adsense/trunk/index.php#L46"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/134130a9-4750-4a63-88a0-60d4285acb77?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Country Blocker for AdSense", "source": "cna", "vendor": "soyrodriguez"}, "product": "country_blocker_for_adsense", "vendor": "soyrodriguez"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T15:25:56.764269+00:00", "value": {"mitigation_remediation": ["Update Country Blocker for AdSense to the latest available version or uninstall the plugin if it is no longer required.", "If an update cannot be applied, remove or disable the settings page that performs configuration writes to eliminate the CSRF surface.", "Enable two\u2011factor authentication for all WordPress administrator accounts to reduce the chance that an admin will unknowingly submit a malicious request."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated modification of WordPress plugin settings through CSRF"}, "threat_synthesis": {"affected_systems": "This issue affects the WordPress plugin Country Blocker for AdSense supplied by soyrodriguez, in all versions at or before 1.0. Sites running this plugin without a protective nonce check are susceptible. No explicit sub\u2011version range is given, so any installation of 1.0 or earlier is considered vulnerable.", "description_and_impact": "Country Blocker for AdSense establishes a mechanism to block certain geographies from accessing AdSense content. A flaw exists in versions up to 1.0 because the function that writes the new country rules does not enforce a nonce, allowing a crafted request to change settings without authentication. If an attacker can persuade an administrator to click a malicious link or otherwise submit a request, the plugin\u2019s configuration could be altered to permit or deny traffic arbitrarily, undermining the site\u2019s revenue and compliance controls.", "risk_and_exploitability": "With a CVSS score of 4.3 the flaw is considered medium severity. The EPSS score is reported as less than 1\u202f%, indicating a very low probability of exploitation under current conditions, and the vulnerability is not listed in CISA\u2019s KEV catalog. Despite that, the attack vector is straightforward CSRF against an unauthenticated user, making it exploitible with minimal effort if an admin is tricked into visiting a particular URL. Consequently, the risk is moderate but non\u2011negligible for administrators that rely on default trust in logged\u2011in users."}}}}, "created": "2026-02-19T10:07:23.511769+00:00", "updated": "2026-04-22T15:30:20.778735+00:00", "vendors": ["soyrodriguez", "soyrodriguez$PRODUCT$country_blocker_for_adsense", "wordpress", "wordpress$PRODUCT$wordpress"]}