Vulnerability Description
The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site is not behind a CDN or reverse proxy that overwrites these headers.
CVSS Score
LOW
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/password-protected/tags/2.7.11/includ
- https://research.cleantalk.org/cve-2025-11244/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/30b4371d-54a2-4111-ad2
FAQ
What is CVE-2025-11244?
CVE-2025-11244 is a vulnerability with a CVSS score of 3.7 (LOW). The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-contro...
How severe is CVE-2025-11244?
CVE-2025-11244 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-11244?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.