WordPress Plugin Vulnerabilities

Password Protected < 2.7.12 - Unauthenticated Authorization Bypass via IP Address Spoofing

Description

The plugin is vulnerable to authorization bypass via IP address spoofing due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site is not behind a CDN or reverse proxy that overwrites these headers.

Affects Plugins

Plugin icon
password-protected
Fixed in 2.7.12

References

CVE
CVE-2025-11244
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/30b4371d-54a2-4111-ad2c-b38b6b31884d

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
3.7 (low)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
494f1308-26f9-41d2-ac80-712131f97090

Timeline

Publicly Published
2025-10-24 (about 8 months ago)
Added
2025-10-27 (about 7 months ago)
Last Updated
2025-10-27 (about 7 months ago)

Other

Published
Title
Published
2024-06-06
Title
Under Construction / Maintenance Mode from Acurax <= 2.6 - Unauthenticated IP Spoofing
Published
2024-09-18
Title
Limit Login Attempts Plus <= 1.1.0 - IP Address Spoofing to Protection Mechanism Bypass
Published
2024-10-07
Title
Limit Login Attempts (Spam Protection) < 5.4 - IP Address Spoofing to Protection Mechanism Bypass
Published
2025-10-30
Title
OOPSpam Anti-Spam < 1.2.54 - Unauthenticated IP Header Spoofing
Published
2024-09-16
Title
Maintenance Redirect < 2.1.0 - IP Spoofing to Maintenance Mode Bypass