CVE-2022-41650

Vulnerability

Overview

The Custom Content by Country plugin for WordPress, developed by Shield Security, suffers from a missing authorization vulnerability (CVE-2022-41650) in versions up to and including 3.1.2. The plugin fails to properly verify user permissions before granting access to content that should be restricted based on geographic location. This broken access control issue means that any visitor, regardless of their country, can potentially view content intended only for specific regions [1].

Exploitation

An attacker can exploit this vulnerability without requiring any authentication or special privileges. By simply sending a crafted request to the WordPress site, they can bypass the country-based content filtering logic. The attack surface is broad because the plugin is used on many websites, and the vulnerability can be automated for mass exploitation campaigns [1].

Impact

Successful exploitation allows an attacker to view content that the site administrator intended to hide from certain countries. This could expose sensitive information, such as region-specific pricing, promotional materials, or exclusive content. In some cases, it may also enable attackers to access administrative functions if the plugin's authorization checks are also missing for other actions.

Mitigation

The vendor has released a patched version beyond 3.1.2. Users are strongly advised to update the plugin immediately. If updating is not possible, consider disabling the plugin or implementing additional access controls via a web application firewall. Given that this vulnerability is known to be used in mass-exploit campaigns, prompt action is critical [1].