CVE-2025-11244
BaseFortify
Publication date: 2025-10-25
Last updated on: 2025-10-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | password_protected | 2.7.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Password Protected plugin for WordPress (up to version 2.7.11) where the plugin trusts client-controlled HTTP headers like X-Forwarded-For and HTTP_CLIENT_IP to determine user IP addresses when the 'Use transients' feature is enabled. An attacker can spoof these headers to impersonate a legitimately authenticated user's IP address, thereby bypassing authorization controls if the site is not behind a CDN or reverse proxy that overwrites these headers.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can bypass authorization protections of the Password Protected plugin by spoofing IP addresses, potentially gaining unauthorized access to protected areas of a WordPress site. This could lead to exposure of restricted content or functionality without proper authentication.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the "Use transients" feature in the Password Protected plugin is disabled (as it is a non-default configuration). Additionally, place your WordPress site behind a CDN or reverse proxy that overwrites client-controlled HTTP headers such as X-Forwarded-For and HTTP_CLIENT_IP to prevent IP address spoofing.