CVE-2025-9034: 
WordPress vulnerability analysis and mitigation

The Wp Edit Password Protected WordPress plugin before version 1.3.5 contains an Open Redirect vulnerability identified as CVE-2025-9034. The vulnerability was discovered by Bob Matyas and was publicly disclosed on August 21, 2025. This security issue affects WordPress installations using the vulnerable plugin versions (WPScan).

The vulnerability stems from the plugin's failure to validate a parameter before redirecting users to its value, resulting in an Open Redirect issue. The vulnerability has been assigned a CVSS 3.1 base score of 6.1 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (AttackerKB).

The Open Redirect vulnerability could allow attackers to redirect users to malicious websites. This type of vulnerability can be exploited for phishing attacks by redirecting users to fraudulent pages while appearing to come from a legitimate WordPress site (WPScan).

The vulnerability has been patched in version 1.3.5 of the Wp Edit Password Protected plugin. Site administrators are advised to update to this version or later to mitigate the risk (WPScan).