What the vulnerability does
01Description
The DocCheck Login plugin for WordPress is vulnerable to unauthorized post access in all versions up to, and including, 1.1.5. This is due to plugin redirecting a user to login on a password protected post after the page has loaded. This makes it possible for unauthenticated attackers to read posts they should not have access to.
Explanation of Vulnerability in Simple Terms
02Summary
DocCheck Login versions up to 1.1.5 contain an access control flaw that allows unauthenticated attackers to read limited sensitive information over the network. The vulnerability requires no user interaction and no special configuration. An attacker can retrieve data without authentication, though the impact is restricted to confidentiality.
What an attacker can do
03Attacker Capabilities
Read limited sensitive information without logging in.
Potential impact on your site
04Site Impact
Sensitive data may be exposed to unauthenticated visitors if DocCheck Login is deployed.
Conditions required to exploit
05Prerequisites
Network access to the affected DocCheck Login instance; no authentication required.
Key dates
06Disclosure timeline
July 4, 2025
CVE published
April 8, 2026
Record updated