What the vulnerability does
01Description
The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site is not behind a CDN or reverse proxy that overwrites these headers.
Explanation of Vulnerability in Simple Terms
02Summary
The Password Protected plugin for WordPress contains an improper access control vulnerability affecting versions up to 2.7.11. An attacker on the network can bypass authentication checks under specific conditions to gain limited read access to protected content. The vulnerability requires high attack complexity and results in low confidentiality impact. Site administrators should update to a version newer than 2.7.11.
What an attacker can do
03Attacker Capabilities
Read limited protected content without proper authentication under specific network conditions.
Potential impact on your site
04Site Impact
Protected pages, posts, or categories may be readable by unauthorized visitors under certain conditions.
Conditions required to exploit
05Prerequisites
Network access; no authentication or user interaction required, but high attack complexity.
Key dates
06Disclosure timeline
October 25, 2025
CVE published
April 8, 2026
Record updated
