CVE-2025-11244 is a security vulnerability classified as CWE-285 (Improper Authorization) found in the WordPress plugin 'Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content' developed by saadiqbal. The vulnerability exists in all versions up to and including 2.7.11. It stems from the plugin's 'pp_get_ip_address()' function, which determines the user's IP address by trusting client-supplied HTTP headers such as X-Forwarded-For and HTTP_CLIENT_IP when the 'Use transients' feature is enabled. This feature is not enabled by default. Because these headers can be spoofed by an attacker, it is possible to bypass the authorization checks that rely on IP address validation, effectively granting unauthorized access to protected content. The vulnerability requires that the site is not protected by a CDN or reverse proxy that overwrites or sanitizes these headers, as such infrastructure would prevent spoofing. The CVSS v3.1 base score is 3.7, indicating a low severity due to the need for specific configuration, no authentication required, no user interaction, and limited confidentiality impact. No known exploits have been reported in the wild, but the vulnerability poses a risk to sites relying on this plugin with the vulnerable configuration. No official patch links are provided yet, so mitigation relies on configuration changes or network-level protections.

The primary impact of this vulnerability is unauthorized access to password-protected WordPress content, which could lead to exposure of sensitive or restricted information. While the vulnerability does not allow modification or deletion of content (no integrity or availability impact), unauthorized disclosure can harm organizations relying on the plugin for access control. The risk is heightened for websites that use the 'Use transients' feature and do not have protective infrastructure like CDNs or reverse proxies that sanitize IP-related headers. Attackers can exploit this flaw remotely without authentication or user interaction, but only if they can spoof IP headers successfully. This could affect organizations that use this plugin to restrict access to internal pages, membership content, or confidential posts. The overall impact is limited by the low severity score and the specific configuration requirements, but it still represents a meaningful risk for affected sites, especially those with sensitive content or regulatory compliance obligations.

1. Disable the 'Use transients' feature in the Password Protected plugin configuration if it is currently enabled, as this is the root cause of the vulnerability. 2. If disabling 'Use transients' is not feasible, implement strict validation and sanitization of client-supplied HTTP headers at the web server or application firewall level to prevent IP spoofing. 3. Deploy a CDN or reverse proxy that overwrites or removes client-controlled IP headers such as X-Forwarded-For and HTTP_CLIENT_IP to ensure the server receives only trusted IP information. 4. Monitor access logs for suspicious IP header patterns or repeated unauthorized access attempts. 5. Keep the plugin updated and monitor for official patches or security advisories from the vendor. 6. Consider additional access control mechanisms such as two-factor authentication or IP whitelisting to protect sensitive content. 7. Conduct regular security assessments of WordPress plugins and configurations to identify and remediate similar risks.