CVE-2025-10720: 
WordPress vulnerability analysis and mitigation

The WP Private Content Plus plugin through version 3.6.2 contains a critical security vulnerability (CVE-2025-10720) that affects its global content protection feature. The vulnerability was discovered on September 19, 2025, and involves a password protection bypass issue. The plugin is designed to protect content with password authentication, but due to improper implementation, the security measure can be completely circumvented (WPScan, NVD).

The vulnerability stems from a flawed access control mechanism that relies solely on an unprotected client-side cookie for authentication verification. The CVSS v3.1 base score is 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating that the vulnerability can be exploited over the network with low attack complexity and requires no privileges or user interaction (NVD).

An unauthenticated attacker can bypass the password protection mechanism entirely by manually setting a cookie value in their browser. This allows unauthorized access to protected content that should only be accessible after providing the correct password (WPScan).

Currently, there is no known fix available for this vulnerability. Users of WP Private Content Plus version 3.6.2 and earlier should consider implementing alternative content protection methods or removing sensitive content until a patch is released (WPScan).