The Password Protected plugin (300k+ installs) is widely used to place a front-end password gate on WordPress sites, preventing casual visitors from viewing pages until a shared password is entered. While convenient, this security model must strictly bind the “authenticated” state to something the attacker cannot forge. CVE-2025-11244 shows a critical flaw in the plugin’s Advanced → Cache issue → “Use transients” mode: the plugin derives the session key from the visitor’s IP address, and it trusts client-supplied proxy headers (such as X-Forwarded-For) without a trusted proxy policy. This allows an unauthenticated attacker to spoof a victim’s public IP and reuse the victim’s transient-based “logged in” state, bypassing the password gate entirely.
| CVE | CVE-2025-11244 |
| Plugin Version | Password Protected <= 2.7.11 |
| Critical | High |
| All Time | 6 806 180 |
| Active installations | 300 000+ |
| Publicly Published | September 4, 2025 |
| Last Updated | September 4, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11244 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/password-protected/password-protected-2711-unauthenticated-authorization-bypass-via-ip-address-spoofing |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 17, 2025 | Plugin testing and vulnerability detection in the Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content have been completed |
| September 17, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 24, 2025 | Registered CVE-2025-11244 |
Discovery of the Vulnerability
When “Use transients” is enabled, the plugin stores and retrieves the authorization state using a transient key of the form:<cookie_name>_<IP>
The IP is obtained by pp_get_ip_address() in includes/transient-functions.php (~L33–L52), which scans multiple proxy headers (HTTP_X_FORWARDED_FOR, HTTP_CLIENT_IP, HTTP_FORWARDED, etc.) and returns the first public IPfound. Importantly, the function does not validate that the request came through a trusted proxy nor does it restrict header parsing to known upstream IPs. The transient storage/retrieval functions pp_set_transient / pp_get_transient use that key (~L58–L67, L79–L91, L93–L97) and are wired into the auth flow via password_protected_cookie('get'|'set'|'delete') in includes/compatibility.php (~L11–L84). The auth token itself is not safely bound to the client IP (see generate_auth_cookie() / parse_auth_cookie() in password-protected.php ~L717–L726 and ~L743±), so the plugin effectively treats “same IP” as “same authenticated user.” If the attacker can spoof the IP, they can force the plugin to load someone else’s transient.
Understanding of Authorization Bypass via IP Spoofing attack’s
In modern hosting, reverse proxies and CDNs often add X-Forwarded-For, but applications must not trust these headers unless the request is known to have passed through a trusted proxy. If PHP reads X-Forwarded-For directly from client requests, any attacker can forge it. Security features that derive session identity from an untrusted header are effectively authentication by user-controlled input. Similar issues have impacted rate limiters, IP allowlists, and login protection plugins that accepted arbitrary XFF headers without validating the upstream network path. CVE-2025-11244 is particularly severe because it enables a full password bypass for protected content.
Exploiting the Authorization Bypass via IP Spoofing Vulnerability
To exploit CVE-2025-11244, an attacker without cookies:
POC:
1) As WP admin, go to Settings → Password Protected → Advanced → Cache issue and select the transients option, Save. 2) Set a New Password in "Password Protected Configuration" settings 3) Victim browses the site once, enters the correct password, and is now “logged in” by IP (no cookie needed across browsers on the same WAN IP). 4) Attacker learns victim’s public IP (not RFC1918) and issues a front-end request with a spoofed header: curl -i -H 'X-Forwarded-For: 203.0.113.55' http://target.example/ 5) If the web tier passes client XFF to PHP, the plugin looks up <cookie_name>_203.0.113.55, fetches the victim’s transient, and serves protected content without knowing the password.____
Complete bypass of “Password Protected”: Attackers gain access to content intended to be private (staging sites, pre-release pages, internal documentation, client materials).
Low detection: Access appears as normal browsing; no failed password attempts occur.
NAT and shared-IP amplification: In co-working spaces or corporate networks, one authenticated user can unintentionally unlock the site for all others sharing the same WAN IP.
Sensitive data exposure: Protected content may include contact lists, invoices, unpublished marketing pages, or contractual materials, leading to reputational and legal risk.
Recommendations for Improved Security
For plugin maintainers
- Stop trusting proxy headers by default: Only honor
X-Forwarded-For/Forwardedheaders if the request originates from a trusted proxy list (e.g., configurable CIDRs). Otherwise, useREMOTE_ADDR. - Bind auth state to secure tokens: Do not key authentication solely on IP; use an HMAC’d cookie or session token that cannot be guessed or forged.
- Harden transients mode: If transients remain, key them using a cryptographically strong random session identifier stored in a cookie—not
cookie_name + IP. - Document secure deployment: Provide explicit guidance for sites behind Cloudflare/Nginx/ELB: how to configure trusted proxies and how to pass real client IP safely.
For site owners
- Disable “Use transients” unless strictly necessary.
- If behind a proxy/CDN, enforce correct IP handling at the server level (e.g., Nginx
real_ip_header+set_real_ip_from) and strip spoofed headers from direct clients. - Consider using alternative access controls (HTTP Basic Auth, SSO gate, or staging environment access control) for truly sensitive content.
- Monitor for unexpected traffic patterns where protected content is served without corresponding password entry events.
By taking proactive measures to address Auth Bypass vulnerabilities like CVE-2025-11244 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #AuthBypass #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.