CVE-2025-5998: 
WordPress vulnerability analysis and mitigation

CVE-2025-5998 affects the PPWP – Password Protect Pages WordPress plugin versions before 1.9.11. The vulnerability allows users with subscriber or greater roles to bypass password authorization and view protected content through the REST API. The issue was discovered and disclosed on August 14, 2025 (WPScan).

The vulnerability exists in the password protection mechanism of the PPWP plugin. While the plugin is designed to protect site content behind a password authorization, it fails to properly restrict access via the WordPress REST API endpoints. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and high impact on confidentiality (AttackerKB).

The vulnerability allows authenticated users with subscriber-level access or higher to bypass the password protection mechanism and access protected content through the REST API. This circumvents the intended security controls and could lead to unauthorized access to sensitive information that was meant to be password-protected (WPScan).

Site administrators should update the PPWP – Password Protect Pages WordPress plugin to version 1.9.11 or later, which contains the fix for this vulnerability (WPScan).