CVE-2025-11244

Name of the Vulnerable Software and Affected Versions Password Protected plugin for WordPress versions prior to 2.7.12

Description The Password Protected plugin for WordPress is susceptible to authorization bypass through IP address spoofing. This occurs because the plugin relies on client-controlled HTTP headers—specifically, X-Forwarded-For and HTTP CLIENT IP—to determine user IP addresses within the pp get ip address() function when the "Use transients" feature is enabled. An attacker can bypass authorization by manipulating these headers to impersonate a legitimately authenticated user, provided the "Use transients" option is enabled and the site is not behind a Content Delivery Network (CDN) or reverse proxy that overwrites these headers.

Recommendations Update the Password Protected plugin to version 2.7.12 or later.