WordPress Plugin Vulnerabilities

Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products < 2.7.8 - Unauthenticated Sensitive Information Exposure

Description

The Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the 'password_protected_cookie' function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the 'Use Transient' setting is enabled.

Affects Plugins

Plugin icon
password-protected
Fixed in 2.7.8

References

CVE
CVE-2025-3453
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/241d75ca-55e3-461a-9844-52e69904da1b

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Brian Sans-Souci (liardom), the sneaky squirrel
Verified
No
WPVDB ID
0e4962b2-8ec6-41f7-b0c5-0254f5baf0a5

Timeline

Publicly Published
2025-04-16 (about 1 year ago)
Added
2025-04-16 (about 1 year ago)
Last Updated
2025-04-17 (about 1 year ago)

Other

Published
Title
Published
2024-10-24
Title
Mapster WP Maps < 1.6.0 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update
Published
2023-11-16
Title
Jetpack < 12.7 - Improper Authorization via WPCom External Media REST endpoints
Published
2025-07-10
Title
Premium Age Verification / Restriction for WordPress <= 3.0.2 - Unauthenticated Arbitrary File Read/Write
Published
2023-11-28
Title
SchedulePress < 5.0.5 - Contributor+ Arbitrary Post Update/Deletion
Published
2022-11-17
Title
Crowdsignal Dashboard < 3.0.10 - Contributor+ Rating Settings Update