CVE-2025-11244

Password Protected <= 2.7.11 - Unauthenticated Authorization Bypass via IP Address Spoofing

lowImproper Authorization

3.7

CVSS Score

3.7

CVSS Score

low

Severity

2.7.12

Patched in

Time to patch

Description

The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site is not behind a CDN or reverse proxy that overwrites these headers.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Low

Confidentiality

None

Integrity

None

Availability

Technical Details

Affected versions<=2.7.11

PublishedOctober 24, 2025

Last updatedOctober 25, 2025

Affected pluginpassword-protected

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/30b4371d-54a2-4111-ad2c-b38b6b31884d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database