Description
The Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the 'password_protected_cookie' function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the 'Use Transient' setting is enabled.
Published: 2025-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The Password Protected plugin for WordPress is vulnerable through its password_protected_cookie function. Unauthenticated users can invoke this function to extract all protected site content when the 'Use Transient' option is enabled. The flaw allows an attacker to obtain sensitive information that should remain restricted, effectively bypassing the plugin’s content‑level protection. The weakness is categorized as CWE‑863, reflecting an insufficiently limited functionality exposed to unauthorized users.

Affected Systems

The issue affects installations of the Password Protected plugin – Lock Entire Site, Pages, Posts, Categories, and Partial Content – by the vendor Saadiqbal. All released versions up to and including version 2.7.7 are vulnerable. The plugin is a WordPress plugin that restricts access to site content, pages, and WooCommerce products; users who rely on it for site protection are impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation of this flaw is currently unlikely, and it is not listed in the CISA KEV catalog. The known attack surface is a remote, unauthenticated web request to the plugin when the 'Use Transient' setting is active. An attacker would need network access to the WordPress site, but no authentication or prior setup is required, making the vulnerability potentially exploitable in production environments that rely on this plugin for access control.

Generated by OpenCVE AI on April 22, 2026 at 17:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Password Protected plugin to the latest released version that eliminates the exposed cookie handling.
  • If an upgrade cannot be applied immediately, disable the 'Use Transient' option within the plugin’s settings to prevent sensitive data from being stored in a manner exploitable by unauthenticated users.
  • Consider disabling or replacing the plugin with a more secure access‑control solution until a proper fix is available.

Generated by OpenCVE AI on April 22, 2026 at 17:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11502 The Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the 'password_protected_cookie' function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the 'Use Transient' setting is enabled.
History

Thu, 17 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the 'password_protected_cookie' function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the 'Use Transient' setting is enabled.
Title Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products <= 2.7.7 - Unauthenticated Sensitive Information Exposure
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:08.874Z

Reserved: 2025-04-08T15:51:36.979Z

Link: CVE-2025-3453

cve-icon Vulnrichment

Updated: 2025-04-17T14:31:18.301Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T12:15:15.467

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses