Scan free
HIGHCVE-2025-48077CVSS 7.1

CVE-2025-48077: XSS in Block Country WordPress Plugin

Platform

wordpress

Component

block-country

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-48077 describes a Cross-Site Request Forgery (CSRF) vulnerability leading to Stored XSS within the Block Country WordPress plugin. This allows an attacker to inject malicious scripts into the plugin, potentially impacting user accounts and site functionality. The vulnerability affects versions from 0.0.0 up to and including 1.0, and a patch is available in version 1.0.1.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The primary impact of CVE-2025-48077 is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to various malicious actions, including session hijacking, credential theft (e.g., stealing login cookies), defacement of the website, and redirection to phishing sites. Because the vulnerability is CSRF-based, an attacker doesn't necessarily need to trick a user into clicking a malicious link; they can potentially trigger the XSS payload automatically, making exploitation easier. The blast radius extends to all users of the Block Country plugin, particularly those with administrative privileges.

Exploitation Context

CVE-2025-48077 was publicly disclosed on 2025-11-06. No public proof-of-concept (POC) code has been identified as of this date. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (4% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L7.1HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentblock-country
Vendornitinmaurya12
Affected rangeFixed in
0 – 1.01.0.1

Package Information

Active installs
70
Plugin rating
3.0
Requires WordPress
3.2+
Compatible up to
3.6.1
Homepage

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The recommended mitigation for CVE-2025-48077 is to immediately upgrade the Block Country plugin to version 1.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing stricter CSRF protection measures on the WordPress site. This might involve enabling 'sanitize_callback' filters on vulnerable input fields or using a WordPress security plugin that provides CSRF protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through the plugin's input fields and verifying that the payload is properly sanitized.

How to fix

Update the Block Country plugin to the latest available version to mitigate the CSRF vulnerability that enables stored XSS code execution. Refer to the plugin repository on wordpress.org for the latest version and update instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-48077 — XSS in Block Country WordPress Plugin?

CVE-2025-48077 is a CSRF-based Stored XSS vulnerability in the Block Country WordPress plugin, allowing attackers to inject malicious scripts.

Am I affected by CVE-2025-48077 in Block Country WordPress Plugin?

You are affected if you are using Block Country versions 0.0.0 through 1.0. Upgrade to 1.0.1 to mitigate the risk.

How do I fix CVE-2025-48077 in Block Country WordPress Plugin?

Upgrade the Block Country plugin to version 1.0.1 or later. Consider implementing CSRF protection measures if immediate upgrade is not possible.

Is CVE-2025-48077 being actively exploited?

As of 2025-11-06, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.

Where can I find the official Block Country advisory for CVE-2025-48077?

Check the Block Country plugin's official website or WordPress plugin repository for the latest advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs