Primary

Context

WordPress Password Protected Plugin Authorization Bypass Vulnerability via IP Spoofing

Vulnerability

A vulnerability exists in the Password Protected plugin for WordPress, allowing authorization bypass through IP address spoofing. This issue affects all versions up to and including 2.7.11. The vulnerability arises because the plugin relies on client-controlled HTTP headers, such as X-Forwarded-For and HTTP_CLIENT_IP, to determine user IP addresses. When the 'Use transients' feature is enabled, this trust can be exploited by spoofing these headers with the IP address of an authenticated user. The site must not be behind a CDN or reverse proxy that alters these headers for the attack to be successful.

Impact

Exploitation of this vulnerability allows for unauthorized access by bypassing IP-based authorization controls, potentially leading to unauthorized actions or access within the WordPress site.

Remediation

Users are advised to update the Password Protected plugin to version 2.7.12 or a newer patched version.

Added: Oct 25, 2025, 6:30 AM

Updated: Oct 25, 2025, 6:30 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Password Protected Plugin Authorization Bypass Vulnerability via IP Spoofing

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating