CVE-2025-22415: 
NixOS vulnerability analysis and mitigation

The PPWP – Password Protect Pages WordPress plugin before version 1.9.11 contains a security vulnerability that allows unauthorized access to password-protected content. The vulnerability was discovered by Pierre Rudloff and was publicly disclosed on July 24, 2025 (WPScan).

The vulnerability exists in the plugin's REST API implementation. While the plugin is designed to protect site content behind password authorization, users with subscriber or greater roles can bypass this protection by accessing content through the WordPress REST API endpoints. The vulnerability has been assigned CVE-2025-5998 and received a CVSS 3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NIST NVD).

The vulnerability allows authenticated users with subscriber-level access to bypass password protection mechanisms and view protected content through the REST API. This circumvents the intended security controls of the plugin, potentially exposing sensitive or restricted content to unauthorized users (WPScan).

The vulnerability has been fixed in version 1.9.11 of the PPWP – Password Protect Pages WordPress plugin. Site administrators should update to this version or later to protect against unauthorized access (WPScan).