cleantalk
Vulnerabilities and Security Researches

Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease, CVE-2025-11244

CVE, Research URL

CVE-2025-11244

Home page URL

Security reports for Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease

Application

Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease

Published on
Oct 25, 2025
Research Description
The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site is not behind a CDN or reverse proxy that overwrites these headers.
Affected versions
max 2.7.12.
Status
vulnerable
Previous vulnerability researches
Magento 2 WordPress Integration (CVE-2025-58669) , Oct 11, 2025
New vulnerability
Event Tickets and Registration (CVE-2025-62027) , Dec 11, 2025
Event Tickets and Registration (CVE-2025-11517) , Dec 11, 2025
Eupago Gateway For Woocommerce (CVE-2025-62870) , Dec 11, 2025
Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, (CVE-2025-13196) , Dec 11, 2025
Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, (CVE-2025-11536) , Dec 11, 2025