Description
The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'validate_restrictions' function. This makes it possible for unauthenticated attackers to extract sensitive data including the content of resticted posts on archive and feed pages.
Published: 2025-08-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Patch Plugin
AI Analysis

Impact

The WP Private Content Plus plugin for WordPress contains a flaw in the validate_restrictions function that allows any visitor to read sensitive content from restricted posts that appear on archive and feed pages. The vulnerability can expose confidentiality of post body text, media, or other details that were meant to be visible only to authorized users, and it does not grant any code execution or escalation of privileges. The weakened confidentiality is the primary impact.

Affected Systems

WordPress sites that have installed WP Private Content Plus plugin versions 3.6.2 or earlier are affected; the vendor nimeshrmr identified the flaw in all releases up to and including 3.6.2. Sites running newer versions are not impacted.

Risk and Exploitability

The CVSS score of 5.3 signifies a moderate level of risk. The EPSS score of less than 1% indicates that the exploit probability is currently very low, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is unauthenticated and occurs simply by navigating to publicly accessible archive or feed URLs, without requiring any special credentials or pre‑existing attacker access.

Generated by OpenCVE AI on April 21, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Private Content Plus to version 3.6.3 or later (or any newer release that contains the patch).
  • If a patch is not yet available, temporarily disable or delete the plugin until an update is released.
  • Restrict access to archive and feed pages through server configuration or plugin settings so that only authenticated users can reach them.

Generated by OpenCVE AI on April 21, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24197 The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'validate_restrictions' function. This makes it possible for unauthenticated attackers to extract sensitive data including the content of resticted posts on archive and feed pages.
History

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Nimeshrmr
Nimeshrmr wp Private Content Plus
Wordpress
Wordpress wordpress
Vendors & Products Nimeshrmr
Nimeshrmr wp Private Content Plus
Wordpress
Wordpress wordpress

Tue, 12 Aug 2025 02:30:00 +0000

Type Values Removed Values Added
Description The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'validate_restrictions' function. This makes it possible for unauthenticated attackers to extract sensitive data including the content of resticted posts on archive and feed pages.
Title WP Private Content Plus <= 3.6.2 - Unauthenticated Sensitive Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Nimeshrmr Wp Private Content Plus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:11.400Z

Reserved: 2025-05-06T19:28:43.766Z

Link: CVE-2025-4390

cve-icon Vulnrichment

Updated: 2025-08-12T13:32:38.717Z

cve-icon NVD

Status : Deferred

Published: 2025-08-12T03:15:28.763

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4390

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses