CVE-2025-11244: 
WordPress vulnerability analysis and mitigation

The Password Protected plugin for WordPress contains an authorization bypass vulnerability (CVE-2025-11244) discovered in versions up to and including 2.7.11. The vulnerability was disclosed on October 24, 2025, and affects the plugin's IP address verification mechanism when the 'Use transients' feature is enabled (NVD).

The vulnerability stems from the plugin's improper handling of client-controlled HTTP headers (X-Forwarded-For, HTTPCLIENTIP, and similar) in the pp_get_ip_address() function when the 'Use transients' feature is enabled. The CVSS v3.1 base score is 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-285 (Improper Authorization) (NVD).

When successfully exploited, this vulnerability allows attackers to bypass authorization controls by spoofing IP addresses of legitimately authenticated users. However, the impact is limited as it requires specific conditions: the 'Use transients' option must be enabled (which is not the default configuration) and the site must not be behind a CDN or reverse proxy that overwrites these headers (NVD).

The vulnerability affects versions up to and including 2.7.11 of the Password Protected WordPress plugin. Users should ensure their sites are properly configured behind a CDN or reverse proxy that overwrites potentially malicious headers, or disable the 'Use transients' feature if it's not necessary (NVD).