Authorization Bypass Vulnerability in Password Protected Plugin for WordPress
CVE-2025-11244

3.7LOW

Key Information:

Vendor

WordPress
Status
Password Protected β€” Lock Entire Site, Pages, Posts, Categories, And Partial Content
Vendor
CVE Published:
25 October 2025

What is CVE-2025-11244?

The Password Protected plugin for WordPress allows attackers to bypass authorization through IP address spoofing. This vulnerability impacts versions up to and including 2.7.11, utilizing a flaw in how the plugin evaluates client-controlled HTTP headers like X-Forwarded-For. When the 'Use transients' feature is enabled, attackers can exploit this weakness to impersonate authenticated users. This deliberate oversight requires that the site is not behind a CDN or reverse proxy that could alter these headers, enabling potential unauthorized access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Password Protected β€” Lock Entire Site, Pages, Posts, Categories, and Partial Content * <= 2.7.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/password-prote...
https://research.cleantalk.org/cve-2025-11244/

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
JSON
.