CVE-2024-11280: 
WordPress vulnerability analysis and mitigation

The PPWP – Password Protect Pages plugin for WordPress (versions up to and including 1.9.5) contains a Sensitive Information Exposure vulnerability identified as CVE-2024-11280. The vulnerability was discovered and disclosed on December 17, 2024. This security issue affects the WordPress plugin's interaction with the WordPress core search feature, potentially exposing restricted content (NVD CVE).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 5.3 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability exists in the plugin's handling of the WordPress core search feature, which fails to properly restrict access to protected content (NVD CVE).

When exploited, this vulnerability allows unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. This means that content intended to be private or restricted could be exposed to unauthorized users (NVD CVE).

Users should update their PPWP – Password Protect Pages plugin to a version newer than 1.9.5 once available. The vulnerability has been reported and is tracked in the WordPress plugin repository (WordPress Plugin).