Platform
wordpress
Component
block-country
Fixed in
1.0.1
CVE-2025-48077 describes a Cross-Site Request Forgery (CSRF) vulnerability leading to Stored XSS within the Block Country WordPress plugin. This allows an attacker to inject malicious scripts into the plugin, potentially impacting user accounts and site functionality. The vulnerability affects versions from 0.0.0 up to and including 1.0, and a patch is available in version 1.0.1.
The primary impact of CVE-2025-48077 is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to various malicious actions, including session hijacking, credential theft (e.g., stealing login cookies), defacement of the website, and redirection to phishing sites. Because the vulnerability is CSRF-based, an attacker doesn't necessarily need to trick a user into clicking a malicious link; they can potentially trigger the XSS payload automatically, making exploitation easier. The blast radius extends to all users of the Block Country plugin, particularly those with administrative privileges.
CVE-2025-48077 was publicly disclosed on 2025-11-06. No public proof-of-concept (POC) code has been identified as of this date. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-48077 is to immediately upgrade the Block Country plugin to version 1.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing stricter CSRF protection measures on the WordPress site. This might involve enabling 'sanitize_callback' filters on vulnerable input fields or using a WordPress security plugin that provides CSRF protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through the plugin's input fields and verifying that the payload is properly sanitized.
Update the Block Country plugin to the latest available version to mitigate the CSRF vulnerability that enables stored XSS code execution. Refer to the plugin repository on wordpress.org for the latest version and update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48077 is a CSRF-based Stored XSS vulnerability in the Block Country WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using Block Country versions 0.0.0 through 1.0. Upgrade to 1.0.1 to mitigate the risk.
Upgrade the Block Country plugin to version 1.0.1 or later. Consider implementing CSRF protection measures if immediate upgrade is not possible.
As of 2025-11-06, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Check the Block Country plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.