CVE-2024-0437

MEDIUM

Password Protected - Ultimate Plugin <2.6.6 - Info Disclosure

Title source: llm

Description

The Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.6 via the API. This makes it possible for authenticated attackers, with subscriber access or higher, to extract post titles and content, thus bypassing the plugin's password protection.

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3034934%40password-protected%2Ftrunk&old=3005632%40password-protected%2Ftrunk&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/f3045ebf-70af-4124-9116-42c07f64a3bf?source=cve

Scores

CVSS v3 4.3

EPSS 0.0035

EPSS Percentile 27.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (2)

saadiqbal/Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial Content < 2.6.6

wpexpertsio/Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease < 2.6.6

Published May 15, 2024

Tracked Since Feb 18, 2026