WordPress Security Bulletin: Advanced Country Blocker Plugin Vulnerability (CVE-2026-1675)

On this page

Security Alert Summary

The Advanced Country Blocker plugin for WordPress contains an authorization bypass vulnerability (CVE-2026-1675) that affects all versions up to and including 2.3.1. The issue is caused by a predictable default value for a secret bypass key created during installation; if administrators do not change that default key, unauthenticated attackers can bypass the plugin’s geolocation blocking by appending the key to URLs.

CVE Details

  • CVE ID: CVE-2026-1675
  • Affected plugin / component: The Advanced Country Blocker plugin for WordPress
  • Affected versions: All versions up to, and including, 2.3.1
  • Published: February 7, 2026 at 9:16:01 AM
  • Last modified: February 7, 2026 at 9:16:01 AM
  • CVSS v3.1: Base Score 5.3 — MEDIUM
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    • Attack Vector: NETWORK
    • Attack Complexity: LOW
    • Privileges Required: NONE
    • User Interaction: NONE
    • Scope: UNCHANGED
    • Confidentiality Impact: NONE
    • Integrity Impact: LOW
    • Availability Impact: NONE
  • CWE / weakness: CWE-1188

Technical Details

The plugin generates a secret bypass key during installation and uses it as a mechanism to bypass geolocation-based blocking. The vulnerability exists because the initial default value for that secret bypass key is predictable and the installation process does not require administrators to change it. As a result, an unauthenticated attacker can append the known default key to any URL on a site where the administrator left the default in place and bypass the plugin’s geolocation filters.

The description indicates the bypass is achieved by including the key in a request URL; no authenticated access is required. The primary technical consequence is a loss of integrity for the geolocation-based access control — blocked regions or IP ranges may access resources that were intended to be restricted by the plugin.

How This Could Impact Your Website

Consider a small organization running a site with an administrator, a few internal editors, and an external contractor who contributes content. If the administrator has not changed the plugin’s default bypass key, an unauthenticated attacker can access pages or resources that the site owner intended to restrict by country. This may allow access to location-restricted content, preview pages, or administrative interfaces protected only by the geolocation rule, undermining the intended access controls.

Practical consequences include the circumvention of geographic restrictions and exposure of content intended for select audiences. While confidentiality impact is reported as NONE for this issue, the integrity of the site’s geolocation controls is affected, increasing the risk that blocked users can reach content or pages they should not. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
  • Review and reduce unnecessary user roles, especially contributor and editor accounts that have elevated access.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Check the plugin’s installation settings and ensure any default secret or bypass keys are changed to strong, unique values.
  • Monitor site activity for unusual behavior, such as unexpected access to pages that should be geo-restricted.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References