Authorization Bypass Vulnerability in Password Protected Plugin for WordPress
CVE-2025-11244

3.7LOW

Key Information:

Vendor: WordPress
Status: Password Protected — Lock Entire Site, Pages, Posts, Categories, And Partial Content
Vendor: CVE Published:; 25 October 2025

What is CVE-2025-11244?

The Password Protected plugin for WordPress allows attackers to bypass authorization through IP address spoofing. This vulnerability impacts versions up to and including 2.7.11, utilizing a flaw in how the plugin evaluates client-controlled HTTP headers like X-Forwarded-For. When the 'Use transients' feature is enabled, attackers can exploit this weakness to impersonate authenticated users. This deliberate oversight requires that the site is not behind a CDN or reverse proxy that could alter these headers, enabling potential unauthorized access.

Affected Version(s)

Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content * <= 2.7.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/password-prote...

https://research.cleantalk.org/cve-2025-11244/

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 25, 2025
Vulnerability Reserved
Oct 2, 2025

Credit

Dmitrii Ignatyev

JSON