Description
Contributor Insecure Direct Object References (IDOR) in PPWP <= 1.9.19 versions.
Published: 2026-06-26
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PPWP WordPress plugin up to version 1.9.19 contains an insecure direct object reference flaw that allows an attacker who can guess or know the identifier of a protected page to retrieve or manipulate that content without proper authorization, resulting in a breach of confidentiality and integrity of protected pages.

Affected Systems

WordPress PPWP plugin (Password Protect Page) versions 1.9.19 and earlier, maintained by the WP Folio Team, are affected; any release from 1.9.20 onward is not vulnerable.

Risk and Exploitability

The CVSS v3 base score of 4.3 indicates moderate risk. EPSS is not available, so the current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires knowledge of a protected page identifier and the ability to send crafted HTTP requests, so the attack vector involves any network-facing WordPress installation that has the vulnerable plugin installed.

Generated by OpenCVE AI on June 26, 2026 at 16:56 UTC.

Remediation

Vendor Solution

Update the WordPress PPWP Plugin to the latest available version (at least 1.9.20).

OpenCVE Recommended Actions

  • Upgrade the PPWP plugin to version 1.9.20 or later.
  • Remove or deactivate any unused instances of the PPWP plugin to minimize attack surface.
  • Enforce strict role‑based access control so that only authorized users can view or edit protected pages, mitigating the impact of potential residual IDOR weaknesses.

Generated by OpenCVE AI on June 26, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Folio Team
Wp Folio Team ppwp
Vendors & Products Wordpress
Wordpress wordpress
Wp Folio Team
Wp Folio Team ppwp

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor Insecure Direct Object References (IDOR) in PPWP <= 1.9.19 versions.
Title WordPress PPWP plugin <= 1.9.19 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wp Folio Team Ppwp
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:40:08.022Z

Reserved: 2026-06-25T08:03:10.451Z

Link: CVE-2026-57634

cve-icon Vulnrichment

Updated: 2026-06-26T15:40:00.701Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:00:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key