Vulnerabilities and security researches forpassword-protected password-protected

Jun 07, 2024

CVE, Research URL: 4219069bbfaf3f7e65d60199dca25fc1f1f2ec0f
Home page URL: Security reports for Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease
Application: Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease
Date: Nov 27, 2015
Research Description: Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more [password-protected] < 1.5 (closed) WordPress Password Protected Plugin <= 1.4 - Arbitrary Site Redirect This plugin is prone to login process redirect_to parameter arbitrary site redirect vulnerability. Upgrade the plugin.
Affected versions: max 1.5.
Status: vulnerable

CVE, Research URL: CVE-2023-32580
Home page URL: Security reports for Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease
Application: Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease
Date: Jun 23, 2023
Research Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPExperts Password Protected plugin <= 2.6.2 versions.
Affected versions: max 1.5.
Status: vulnerable

CVE, Research URL: CVE-2024-0656
Home page URL: Security reports for Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease
Application: Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease
Date: Feb 29, 2024
Research Description: The Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Captcha Site Key in all versions up to, and including, 2.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 2.6.7.
Status: vulnerable

CVE, Research URL: CVE-2024-0437
Home page URL: Security reports for Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease
Application: Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease
Date: May 15, 2024
Research Description: The Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.6 via the API. This makes it possible for authenticated attackers, with subscriber access or higher, to extract post titles and content, thus bypassing the plugin's password protection.
Affected versions: max 2.6.7.
Status: vulnerable

Apr 18, 2025

CVE, Research URL: CVE-2025-3453
Home page URL: Security reports for Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease
Application: Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease
Date: Apr 17, 2025
Research Description: The Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the 'password_protected_cookie' function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the 'Use Transient' setting is enabled.
Affected versions: max 2.7.8.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-11244
Home page URL: Security reports for Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease
Application: Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease
Date: Oct 25, 2025
Research Description: The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site is not behind a CDN or reverse proxy that overwrites these headers.
Affected versions: max 2.7.12.
Status: vulnerable