CVE-2025-1502 identifies a missing authorization vulnerability (CWE-862) in the IP2Location Redirection plugin for WordPress, versions up to and including 1.33.3. The vulnerability exists because the plugin fails to perform a capability check on the AJAX action 'download_ip2location_redirection_backup'. This AJAX endpoint is intended to allow authorized users to download backup settings of the plugin. However, due to the missing authorization, unauthenticated attackers can invoke this action remotely and retrieve the plugin's configuration data without any credentials or user interaction. The exposed data may include IP-based redirection rules, API keys, or other sensitive configuration parameters stored by the plugin. The vulnerability is remotely exploitable over the network without authentication, making it accessible to any attacker aware of the endpoint. The CVSS v3.1 base score is 5.3, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating low complexity and no privileges or user interaction required, but limited impact confined to confidentiality. No integrity or availability impacts are present. No patches or official fixes were linked at the time of publication, and no known exploits have been reported in the wild. The vulnerability was reserved on 2025-02-20 and published on 2025-03-01 by Wordfence.

The primary impact of this vulnerability is unauthorized disclosure of plugin configuration data, which may include sensitive information such as IP redirection rules, API keys, or other operational parameters. Exposure of such data could aid attackers in reconnaissance, enabling them to map network redirection logic or potentially leverage leaked API keys for further attacks. While the vulnerability does not allow modification or deletion of data, the confidentiality breach could facilitate targeted attacks or privilege escalation in complex environments. Organizations relying on IP2Location Redirection for geolocation-based content delivery or access control may face increased risk of information leakage. The ease of exploitation (no authentication or user interaction required) increases the likelihood of opportunistic scanning and data theft. However, the absence of known active exploits and the medium CVSS score suggest moderate immediate risk. Still, organizations should treat this vulnerability seriously due to the sensitive nature of configuration data and the potential for chained attacks.

1. Immediate mitigation involves restricting access to the AJAX endpoint 'download_ip2location_redirection_backup' by implementing server-level access controls such as IP whitelisting or web application firewall (WAF) rules to block unauthenticated requests. 2. If possible, disable or remove the backup download functionality until a vendor patch is available. 3. Monitor web server logs for suspicious access attempts to the vulnerable AJAX action and investigate any unauthorized downloads. 4. Limit plugin usage to trusted administrators and ensure WordPress installations follow the principle of least privilege. 5. Regularly update the IP2Location Redirection plugin once the vendor releases a security patch addressing this vulnerability. 6. Consider using security plugins that enforce strict capability checks on AJAX actions or implement custom code to add missing authorization checks. 7. Conduct an audit of exposed configuration data and rotate any leaked API keys or credentials to prevent misuse. 8. Educate site administrators about the risks of unauthorized data exposure and encourage prompt application of security updates.