CVE-2025-11244: CWE-285 Improper Authorization in saadiqbal Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content
The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site is not behind a CDN or reverse proxy that overwrites these headers.
AI Analysis
Technical Summary
The Password Protected WordPress plugin (up to version 2.7.11) suffers from an improper authorization vulnerability (CWE-285) due to trusting client-supplied HTTP headers for IP address determination in the pp_get_ip_address() function when the "Use transients" feature is enabled. This allows attackers to spoof IP headers like X-Forwarded-For to impersonate legitimate authenticated users and bypass password protection. The vulnerability is conditional on the "Use transients" option being enabled (which is not the default) and the absence of a CDN or reverse proxy that sanitizes these headers.
Potential Impact
An attacker can bypass the plugin's authorization protections by spoofing IP address headers, potentially gaining unauthorized access to password-protected content. The impact is limited to confidentiality (partial bypass of access controls) with no integrity or availability impact. The CVSS score of 3.7 reflects a low severity vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to disable the "Use transients" feature if enabled, and ensure the site is behind a CDN or reverse proxy that overwrites or sanitizes client-supplied IP headers such as X-Forwarded-For. Monitoring for updates from the plugin vendor is advised.
CVE-2025-11244: CWE-285 Improper Authorization in saadiqbal Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content
Description
The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site is not behind a CDN or reverse proxy that overwrites these headers.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Password Protected WordPress plugin (up to version 2.7.11) suffers from an improper authorization vulnerability (CWE-285) due to trusting client-supplied HTTP headers for IP address determination in the pp_get_ip_address() function when the "Use transients" feature is enabled. This allows attackers to spoof IP headers like X-Forwarded-For to impersonate legitimate authenticated users and bypass password protection. The vulnerability is conditional on the "Use transients" option being enabled (which is not the default) and the absence of a CDN or reverse proxy that sanitizes these headers.
Potential Impact
An attacker can bypass the plugin's authorization protections by spoofing IP address headers, potentially gaining unauthorized access to password-protected content. The impact is limited to confidentiality (partial bypass of access controls) with no integrity or availability impact. The CVSS score of 3.7 reflects a low severity vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to disable the "Use transients" feature if enabled, and ensure the site is behind a CDN or reverse proxy that overwrites or sanitizes client-supplied IP headers such as X-Forwarded-For. Monitoring for updates from the plugin vendor is advised.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-02T14:25:50.992Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68fc626907185a1a52fd75ff
Added to database: 10/25/2025, 5:38:49 AM
Last enriched: 4/9/2026, 8:49:42 PM
Last updated: 5/10/2026, 4:30:45 AM
Views: 250
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.