{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13694", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-25T21:02:52.883Z", "datePublished": "2026-01-07T09:20:51.402Z", "dateUpdated": "2026-04-08T16:32:55.677Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:55.677Z"}, "affected": [{"vendor": "aaextensions", "product": "AA Block country", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the server is behind a trusted proxy. This makes it possible for unauthenticated attackers to bypass IP-based access restrictions by spoofing their IP address via the X-Forwarded-For header."}], "title": "AA Block country <= 1.0.1 - Unauthenticated IP Address Spoofing via X-Forwarded-For Header", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/037ac32a-dc2e-4e9f-9318-65dfee1c80e9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/aa-block-country/trunk/aablockcountry.php#L26"}, {"url": "https://plugins.trac.wordpress.org/browser/aa-block-country/tags/1.0.1/aablockcountry.php#L26"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-348 Use of Less Trusted Source", "cweId": "CWE-348", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "timeline": [{"time": "2026-01-06T20:30:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T16:11:58.195311Z", "id": "CVE-2025-13694", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:12:08.326Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13694", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T16:11:58.195311Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:12:04.446Z"}}], "cna": {"title": "AA Block country <= 1.0.1 - Unauthenticated IP Address Spoofing via X-Forwarded-For Header", "credits": [{"lang": "en", "type": "finder", "value": "Ivan Cese"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "aaextensions", "product": "AA Block country", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T20:30:39.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/037ac32a-dc2e-4e9f-9318-65dfee1c80e9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/aa-block-country/trunk/aablockcountry.php#L26"}, {"url": "https://plugins.trac.wordpress.org/browser/aa-block-country/tags/1.0.1/aablockcountry.php#L26"}], "descriptions": [{"lang": "en", "value": "The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the server is behind a trusted proxy. This makes it possible for unauthenticated attackers to bypass IP-based access restrictions by spoofing their IP address via the X-Forwarded-For header."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-348", "description": "CWE-348 Use of Less Trusted Source"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-07T09:20:51.402Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13694", "state": "PUBLISHED", "dateUpdated": "2026-01-07T16:12:08.326Z", "dateReserved": "2025-11-25T21:02:52.883Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T09:20:51.402Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the server is behind a trusted proxy. This makes it possible for unauthenticated attackers to bypass IP-based access restrictions by spoofing their IP address via the X-Forwarded-For header."}, {"lang": "es", "value": "El plugin AA Block Country para WordPress es vulnerable a la suplantaci\u00f3n de direcci\u00f3n IP en versiones hasta la 1.0.1, inclusive. Esto se debe a que el plugin conf\u00eda en encabezados proporcionados por el usuario, como HTTP_X_FORWARDED_FOR, para determinar la direcci\u00f3n IP del cliente sin una validaci\u00f3n adecuada o sin considerar si el servidor est\u00e1 detr\u00e1s de un proxy de confianza. Esto hace posible que atacantes no autenticados eludan las restricciones de acceso basadas en IP suplantando su direcci\u00f3n IP a trav\u00e9s del encabezado X-Forwarded-For."}], "id": "CVE-2025-13694", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:49.700", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/aa-block-country/tags/1.0.1/aablockcountry.php#L26"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/aa-block-country/trunk/aablockcountry.php#L26"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/037ac32a-dc2e-4e9f-9318-65dfee1c80e9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-348"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:49:57.617630+00:00", "value": {"mitigation_remediation": ["Update the AA Block Country plugin to a version newer than 1.0.1 so that header validation logic is corrected. ", "Configure the plugin or the web server to ignore the X-Forwarded-For header unless it originates from a trusted, internal proxy. ", "Implement firewall or application layer rules that strip or block unauthenticated X-Forwarded-For headers to prevent spoofing. ", "Regularly monitor access logs for repeated appearance of malicious IP addresses or unusually rapid changes in client IPs that may indicate spoofing attempts."], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass via IP Spoofing"}, "threat_synthesis": {"affected_systems": "Vulnerable systems are WordPress installations that have the aaextensions AA Block Country plugin installed on a version 1.0.1 or earlier. The plugin is responsible for blocking traffic from specific countries or IP ranges, so compromise of its IP determination logic directly undermines its filtering capability.", "description_and_impact": "The AA Block Country plugin for WordPress accepts the X-Forwarded-For header as a literal source of the client IP address without verifying that the request came through a trusted proxy. An unauthenticated attacker can inject an arbitrary value into this header, causing the plugin to believe the request originates from a whitelisted IP address and thereby bypass IP\u2011based access restrictions. This flaw falls under CWE\u2011348 and can lead to unauthorized access to restricted content or functionality on the site, creating a moderate level of security risk.", "risk_and_exploitability": "The CVSS score of 5.3 categorizes the risk as moderate while the EPSS score of less than 1% suggests the likelihood of automated exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via an HTTP request that supplies a forged X-Forwarded-For header; because no user authentication is required, any visitor can craft such a request and benefit from the privilege escalation."}}}}, "created": "2026-01-08T09:49:20.439509+00:00", "updated": "2026-04-22T16:00:12.094094+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}