Description
The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site is not behind a CDN or reverse proxy that overwrites these headers.
Published: 2025-10-25
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access
Action: Disable transients
AI Analysis

Impact

The WordPress Password Protected plugin can be misused when the "Use transients" feature is enabled. The plugin trusts client‑controlled HTTP headers such as X-Forwarded-For and HTTP_CLIENT_IP to determine a visitor’s IP address. By sending a forged header that contains the IP address of a legitimately authenticated user, an attacker can bypass the plugin’s authorization checks and gain access to otherwise restricted content. This vulnerability results in an authorization bypass (CWE-285) but does not lead to remote code execution or other higher‑level impact.

Affected Systems

WordPress sites running the Password Protected plugin on version 2.7.11 or earlier, with the "Use transients" option enabled and not protected by a CDN or reverse proxy that overrides client headers. The plugin is commonly used to lock entire sites, pages, posts, categories, and partial content.

Risk and Exploitability

The CVSS score of 3.7 indicates low overall severity, and the EPSS score of less than 1 % suggests that widespread exploitation is currently unlikely. Because the problem requires a specific configuration (transients enabled and open HTTP headers), the attack vector is network‑based header spoofing, but the exploitability is limited by the need for the attacker to control request headers. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 22, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the "Use transients" feature in the Password Protected plugin settings to prevent the plugin from trusting client-supplied headers.
  • Configure your web server or reverse proxy to strip or overwrite X-Forwarded-For, HTTP_CLIENT_IP, and similar headers, ensuring the actual visitor’s IP is used.
  • Upgrade the WordPress core and the Password Protected plugin to a version newer than 2.7.11, or remove the plugin if no update is available.

Generated by OpenCVE AI on April 22, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site is not behind a CDN or reverse proxy that overwrites these headers.
Title Password Protected <= 2.7.11 - Unauthenticated Authorization Bypass via IP Address Spoofing
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:55.005Z

Reserved: 2025-10-02T14:25:50.992Z

Link: CVE-2025-11244

cve-icon Vulnrichment

Updated: 2025-10-27T15:49:53.143Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T06:15:34.910

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:00:18Z

Weaknesses