Sensitive Information Exposure in WordPress Plugin by Password Protected
CVE-2025-3453

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Password Protected – Password Protect Your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category And More
Vendor: CVE Published:; 17 April 2025

What is CVE-2025-3453?

The Password Protected plugin for WordPress allows site owners to secure content by requiring passwords for access. However, a vulnerability in the 'password_protected_cookie' function exposes sensitive information, enabling unauthorized users to retrieve protected site content. This issue is particularly concerning for any instance where the 'Use Transient' setting is active, as it can lead to potential data leakage. Site administrators should ensure they are using versions of the plugin beyond 2.7.7 to mitigate the risks associated with this vulnerability.

Affected Version(s)

Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more * <= 2.7.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/password-prote...

https://plugins.trac.wordpress.org/changeset/3274358/

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2025
Vulnerability Reserved
Apr 8, 2025

Credit

Brian Sans-Souci

Audrey François