WP-Safety

Passster – Password Protect Pages and Content Security & Risk Analysis

wordpress.org/plugins/content-protector

Password Protect Pages, Posts & Content in WordPress

10K active installs v4.3.3 PHP 7.2+ WP 6.5+ Updated Apr 8, 2026
passwordpassword-protectpassword-protectionrestrict-contentsitewide
95
A · Safe
CVEs total10
Unpatched0
Last CVEFeb 12, 2026
Plugin page Download
Safety Verdict

Is Passster – Password Protect Pages and Content Safe to Use in 2026?

Generally Safe

Score 95/100

Passster – Password Protect Pages and Content has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

10 known CVEsLast CVE: Feb 12, 2026Updated 1mo ago
Risk Assessment

The content-protector plugin v4.2.29 presents a mixed security posture. While the static analysis shows a high percentage of properly escaped output and no evident dangerous functions or file operations, there are several areas for concern. The presence of 15 REST API routes, with one lacking permission callbacks, and 4 AJAX handlers, all without explicit authentication checks noted, creates a significant attack surface that could be exploited by unauthorized actors. The static analysis also indicates that 100% of SQL queries are not using prepared statements, which is a substantial risk for SQL injection vulnerabilities.

The vulnerability history is particularly concerning, with a total of 10 known CVEs. Although currently unpatched CVEs are reported as 0, the prevalence of medium severity vulnerabilities, including Exposure of Sensitive Information, Cross-site Scripting, Missing Authorization, and Inadequate Encryption Strength, suggests a pattern of past security weaknesses. The fact that the last vulnerability was only in February 2026 further highlights ongoing security challenges. While the plugin has strengths in output escaping and a lack of critical taint flows, the historical vulnerability record and the identified attack surface points necessitate caution.

Key Concerns

  • 1 REST API route without permission callbacks
  • 100% of SQL queries use raw SQL
  • 4 AJAX handlers with no auth checks noted
  • 10 known medium severity CVEs
  • Bundled library Freemius v1.0 outdated
Vulnerabilities
10 published

Passster – Password Protect Pages and Content Security Vulnerabilities

CVEs by Year

3 CVEs in 2022
2022
2 CVEs in 2024
2024
3 CVEs in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
10

10 total CVEs

CVE-2026-25036medium · 4.3Missing Authorization

Passster <= 4.2.25 - Missing Authorization

Feb 12, 2026 Patched in 4.2.26 (5d)
CVE-2025-14865medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Passster – Password Protect Pages and Content <= 4.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 27, 2026 Patched in 4.2.25 (2d)
CVE-2025-64218medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Passster <= 4.2.19 - Unauthenticated Information Exposure

Nov 12, 2025 Patched in 4.2.20 (39d)
CVE-2025-57926medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Passster <= 4.2.18 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025 Patched in 4.2.19 (30d)
CVE-2024-11282medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Passster – Password Protect Pages and Content <= 4.2.10 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

Jan 6, 2025 Patched in 4.2.11 (1d)
CVE-2024-2026medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Passster <= 4.2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via content_protector Shortcode

Apr 4, 2024 Patched in 4.2.6.5 (12d)
CVE-2024-0616medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Passster – Password Protect Pages and Content <= 4.2.6.2 - Missing Authorization to Sensitive Information Exposure

Feb 8, 2024 Patched in 4.2.6.3 (173d)
CVE-2021-24837medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Passster – Password Protection <= 3.5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 29, 2022 Patched in 3.5.5.8 (390d)
CVE-2021-24881medium · 5.3Missing Authorization

Passster <= 3.5.5.8 - Missing Authentication leading to Sensitive Information Disclosure (Private Post Leakage)

Dec 29, 2022 Patched in 3.5.5.9 (390d)
CVE-2022-3206medium · 5.3Inadequate Encryption Strength

Passster <= 3.5.5.5.1 - Insecure Password Storage to Sensitive Data Exposure

Sep 21, 2022 Patched in 3.5.5.5.2 (489d)
Version History

Passster – Password Protect Pages and Content Release Timeline

v4.3.3Current
v4.3.2
v4.3.1
v4.3.0
v4.2.29
v4.2.28
v4.2.27
v4.2.26
v4.2.251 CVE
CVE-2026-25036
v4.2.242 CVEs
CVE-2025-14865 CVE-2026-25036
v4.2.232 CVEs
CVE-2025-14865 CVE-2026-25036
v4.2.222 CVEs
CVE-2025-14865 CVE-2026-25036
v4.2.212 CVEs
CVE-2025-14865 CVE-2026-25036
v4.2.202 CVEs
CVE-2025-14865 CVE-2026-25036
v4.2.193 CVEs
CVE-2025-14865 CVE-2025-64218 CVE-2026-25036
v4.2.184 CVEs
CVE-2025-14865 CVE-2025-64218 CVE-2026-25036 +1 more
v4.2.174 CVEs
CVE-2025-14865 CVE-2025-64218 CVE-2026-25036 +1 more
v4.2.164 CVEs
CVE-2025-14865 CVE-2025-64218 CVE-2026-25036 +1 more
v4.2.154 CVEs
CVE-2025-14865 CVE-2025-64218 CVE-2026-25036 +1 more
v4.2.144 CVEs
CVE-2025-14865 CVE-2025-64218 CVE-2026-25036 +1 more
Code Analysis
Analyzed Mar 16, 2026

Passster – Password Protect Pages and Content Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
0 prepared
Unescaped Output
7
150 escaped
Nonce Checks
2
Capability Checks
20
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

0% prepared4 total queries

Output Escaping

96% escaped157 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

3 flows
validate_input (inc\class-ps-ajax.php:43)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Passster – Password Protect Pages and Content Attack Surface

Entry Points21
Unprotected1

AJAX Handlers 4

authwp_ajax_validate_inputinc\class-ps-ajax.php:19
noprivwp_ajax_validate_inputinc\class-ps-ajax.php:20
authwp_ajax_hash_passwordinc\class-ps-ajax.php:21
noprivwp_ajax_hash_passwordinc\class-ps-ajax.php:22

REST API Routes 15

GET/wp-json/passster/v1/settingsinc\admin\inc\class-ps-admin-settings.php:97
GET/wp-json/passster/v1/system-statusinc\admin\inc\class-ps-admin-settings.php:104
POST/wp-json/passster/v1/settingsinc\admin\inc\class-ps-admin-settings.php:111
POST/wp-json/passster/v1/migrateinc\admin\inc\class-ps-admin-settings.php:118
GET/wp-json/passster/v1/pagesinc\admin\inc\class-ps-admin-settings.php:125
GET/wp-json/passster/v1/excludable-pagesinc\admin\inc\class-ps-admin-settings.php:132
GET/wp-json/passster/v1/edit-urlinc\admin\inc\class-ps-admin-settings.php:139
GET/wp-json/passster/v1/post-titleinc\admin\inc\class-ps-admin-settings.php:146
GET/wp-json/passster/v1/child-pagesinc\admin\inc\class-ps-admin-settings.php:153
POST/wp-json/passster/v1/metainc\admin\inc\class-ps-meta.php:220
GET/wp-json/passster/v1/metainc\admin\inc\class-ps-meta.php:227
GET/wp-json/passster/v1/areasinc\admin\inc\class-ps-meta.php:234
GET/wp-json/passster/v1/password-lists-modalinc\admin\inc\class-ps-upsells.php:58
GET/wp-json/passster/v1/statistics-modalinc\admin\inc\class-ps-upsells.php:68
POST/wp-json/passster/v1/noncesinc\class-ps-rest-handler.php:123

Shortcodes 2

[content_protector] inc\class-ps-public.php:18
[passster] inc\class-ps-public.php:19
WordPress Hooks 40
actionplugins_loadedcontent-protector.php:25
actionadmin_menuinc\admin\inc\class-ps-admin-settings.php:31
actionrest_api_initinc\admin\inc\class-ps-admin-settings.php:32
actionadmin_menuinc\admin\inc\class-ps-admin.php:27
actioninitinc\admin\inc\class-ps-admin.php:28
filtermanage_protected_areas_posts_columnsinc\admin\inc\class-ps-admin.php:29
filtermanage_post_posts_columnsinc\admin\inc\class-ps-admin.php:30
filtermanage_page_posts_columnsinc\admin\inc\class-ps-admin.php:31
actionmanage_post_posts_custom_columninc\admin\inc\class-ps-admin.php:32
actionmanage_page_posts_custom_columninc\admin\inc\class-ps-admin.php:38
actionmanage_protected_areas_posts_custom_columninc\admin\inc\class-ps-admin.php:44
actionwp_headinc\admin\inc\class-ps-dynamic-styles.php:32
actioninitinc\admin\inc\class-ps-meta.php:31
actionadmin_enqueue_scriptsinc\admin\inc\class-ps-meta.php:32
actionrest_api_initinc\admin\inc\class-ps-meta.php:33
actionadd_meta_boxesinc\admin\inc\class-ps-meta.php:34
actionadmin_menuinc\admin\inc\class-ps-upsells.php:31
actionrest_api_initinc\admin\inc\class-ps-upsells.php:32
actionadmin_print_scriptsinc\admin\inc\class-ps-upsells.php:33
actionwp_enqueue_scriptsinc\class-ps-ajax.php:18
actionwp_enqueue_scriptsinc\class-ps-block-editor.php:29
actionenqueue_block_editor_assetsinc\class-ps-block-editor.php:30
actioninitinc\class-ps-block-editor.php:31
filterpre_get_postsinc\class-ps-protected-posts.php:35
filterthe_contentinc\class-ps-public.php:20
filteracf_the_contentinc\class-ps-public.php:21
filterget_the_excerptinc\class-ps-public.php:22
actiontemplate_redirectinc\class-ps-public.php:23
filterrest_authentication_errorsinc\class-ps-rest-handler.php:32
filterrest_prepare_postinc\class-ps-rest-handler.php:33
actionrest_api_initinc\class-ps-rest-handler.php:35
filterconnect_urlinc\freemius-setup.php:43
filterafter_skip_urlinc\freemius-setup.php:44
filterafter_connect_urlinc\freemius-setup.php:45
filterafter_pending_connect_urlinc\freemius-setup.php:46
filtershow_deactivation_subscription_cancellationinc\freemius-setup.php:47
filtershow_deactivation_feedback_forminc\freemius-setup.php:48
filteris_submenu_visibleinc\freemius-setup.php:61
filterplugin_iconinc\freemius-setup.php:72
actionafter_uninstallinc\freemius-setup.php:75
Maintenance & Trust

Passster – Password Protect Pages and Content Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedApr 8, 2026
PHP min version7.2
Downloads585K

Community Trust

Rating84/100
Number of ratings59
Active installs10K
Alternatives

Passster – Password Protect Pages and Content Alternatives

PPWP – Password Protect Pages

PPWP – Password Protect Pages

password-protect-page

A
95

Password protect WordPress pages and posts by user roles or with multiple passwords; protect your entire website with a single password.

30K 5 CVEs
Smart Protect

Smart Protect

smart-protect

A
85

Smart Protect offers a solution to protect your entire site and choose which pages within your site will not be protected, all in a simple and easy wa &hellip;

10 No CVEs
Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content

password-protected

A
96

Protect your WordPress site, pages, posts, WooCommerce products, and categories with single or multiple passwords.

300K 5 CVEs
RIACO Content Protector

RIACO Content Protector

riaco-content-protector

A
100

Protect any portion of your WordPress content using a simple shortcode. Includes global password, AJAX unlock, and site-wide instant access.

0 No CVEs
Solid Security – Password, Two Factor Authentication, and Brute Force Protection

Solid Security – Password, Two Factor Authentication, and Brute Force Protection

better-wp-security

A
93

Harden your site security with Login Security, Two-Factor Authentication (2FA), Vulnerability Scanner, Firewall, and more. Formerly iThemes Security.

700K 19 CVEs
Developer Profile

Passster – Password Protect Pages and Content Developer Profile

WP Chill

29 plugins · 420K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
560 days
View full developer profile
Detection Fingerprints

How We Detect Passster – Password Protect Pages and Content

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/content-protector/inc/admin/build/index.css/wp-content/plugins/content-protector/inc/admin/build/index.js
Script Paths
/wp-content/plugins/content-protector/inc/admin/build/index.js
Version Parameters
content-protector/inc/admin/build/index.js?ver=content-protector/inc/admin/build/index.css?ver=

HTML / DOM Fingerprints

CSS Classes
passster-settings
Data Attributes
data-passster
JS Globals
options.screenoptions.versionoptions.logooptions.is_prooptions.global_edit_url
REST Endpoints
/wp-json/passster/v1/settings/wp-json/passster/v1/system-status/wp-json/passster/v1/migrate/wp-json/passster/v1/pages
FAQ

Frequently Asked Questions about Passster – Password Protect Pages and Content