CVE-2025-11244

The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers such as X-Forwarded-For, HTTPCLIENTIP, and similar headers to determine user IP...

CVE-2025-11244 Password Protected <= 2.7.11 - Unauthenticated Authorization Bypass via IP Address Spoofing

The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers such as X-Forwarded-For, HTTPCLIENTIP, and similar headers to determine user IP...

WordPress Password Protected plugin <= 2.7.11 - Unauthenticated Authorization Bypass via IP Address Spoofing vulnerability

Unauthenticated Authorization Bypass via IP Address Spoofing vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Password Protected versions = 2.7.11...

PT-2025-16952 · WordPress · Password Protect

Name of the Vulnerable Software and Affected Versions: Password Protected plugin versions up to, and including, 2.7.7 Description: The issue allows unauthenticated attackers to extract sensitive data, including all protected site content, if the 'Use Transient' setting is enabled. This is possibl...

WordPress Password Protected Plugin <= 2.6.6 is vulnerable to Cross Site Scripting (XSS)

Software Password Protected Type Plugin Vulnerable versions = 2.6.6 Fixed in 2.6.7 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-0656 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 7a68f344cd36 Credits Felipe Restrepo...

PT-2024-15723 · WordPress · The Password Protected – Ultimate Plugin To Password Protect Your Wordpress Content With Ease

Name of the Vulnerable Software and Affected Versions: The Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease plugin for WordPress versions up to, and including, 2.6.6 Description: The issue is related to Stored Cross-Site Scripting via the Google Captcha Si...

CVE-2023-32580

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in WPExperts Password Protected plugin = 2.6.2 versions...

CVE-2023-32580

CVE-2023-32580 affects the WordPress plugin “Password Protected” (WPExperts) ≤ 2.6.2. The issue is an authenticated (admin+) Stored Cross‑Site Scripting (XSS) vulnerability, enabling script injection via the plugin’s handling of input when already logged in as an administrator. Multiple sources c...