WP Private Content Plus <= 3.6.2 – Password Protection Bypass | CVE 2025-10720

Description

The plugin provides a global content protection feature that requires a password. However, the access control check is based only on the presence of an unprotected client-side cookie. As a result, an unauthenticated attacker can completely bypass the password protection by manually setting the cookie value in their browser.

Proof of Concept

1. Enable the plugin's functions by selecting the "Enable Private Content Module" option on the plugin's main settings page.
2. Go to the "Password settings" tab in the plugin's settings, select "Enable for all users" from the "Global Password Protection Status" drop-down menu, insert a password, and then save. This will configure a password for all the pages.
3. Navigate to the page protected by the password. You will then be prompted to enter the password.
4. Open the developer tools in the console tab of your browser.
5. Create a new cookie manually by prompting: document.cookie = "wppcp_global_password_protected_status=ACTIVE; path=/";
6. Refresh the page.