{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3453", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-08T15:51:36.979Z", "datePublished": "2025-04-17T11:13:05.367Z", "dateUpdated": "2026-04-08T16:42:08.874Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:08.874Z"}, "affected": [{"vendor": "saadiqbal", "product": "Password Protected \u2014 Lock Entire Site, Pages, Posts, Categories, and Partial Content", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.7.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Password Protected \u2013 Password Protect your WordPress Site, Pages, & WooCommerce Products \u2013 Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the 'password_protected_cookie' function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the 'Use Transient' setting is enabled."}], "title": "Password Protected \u2013 Password Protect your WordPress Site, Pages, & WooCommerce Products <= 2.7.7 - Unauthenticated Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/241d75ca-55e3-461a-9844-52e69904da1b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/password-protected/trunk/includes/compatibility.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3274358/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}, {"lang": "en", "type": "finder", "value": "Audrey Fran\u00e7ois"}], "timeline": [{"time": "2025-04-16T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-17T14:31:09.890393Z", "id": "CVE-2025-3453", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T14:34:17.596Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3453", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-17T14:31:09.890393Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T14:31:18.301Z"}}], "cna": {"title": "Password Protected \u2013 Password Protect your WordPress Site, Pages, & WooCommerce Products <= 2.7.7 - Unauthenticated Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}, {"lang": "en", "type": "finder", "value": "Audrey Fran\u00e7ois"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "saadiqbal", "product": "Password Protected \u2013 Password Protect your WordPress Site, Pages, & WooCommerce Products \u2013 Restrict Content, Protect WooCommerce Category and more", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.7.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-16T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/241d75ca-55e3-461a-9844-52e69904da1b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/password-protected/trunk/includes/compatibility.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3274358/"}], "descriptions": [{"lang": "en", "value": "The Password Protected \u2013 Password Protect your WordPress Site, Pages, & WooCommerce Products \u2013 Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the 'password_protected_cookie' function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the 'Use Transient' setting is enabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-04-17T11:13:05.367Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3453", "state": "PUBLISHED", "dateUpdated": "2025-04-17T14:34:17.596Z", "dateReserved": "2025-04-08T15:51:36.979Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-17T11:13:05.367Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Password Protected \u2013 Password Protect your WordPress Site, Pages, & WooCommerce Products \u2013 Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the 'password_protected_cookie' function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the 'Use Transient' setting is enabled."}, {"lang": "es", "value": "El complemento Password Protected \u2013 Password Protect your WordPress Site, Pages, &amp; WooCommerce Products \u2013 Restrict Content, Protect WooCommerce Category and more para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n confidencial en todas las versiones hasta la 2.7.7 incluida, a trav\u00e9s de la funci\u00f3n \"password_protected_cookie\". Esto permite que atacantes no autenticados extraigan datos confidenciales, incluido todo el contenido protegido del sitio, si la opci\u00f3n \"Usar transitorio\" est\u00e1 activada."}], "id": "CVE-2025-3453", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-17T12:15:15.467", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/password-protected/trunk/includes/compatibility.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3274358/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/241d75ca-55e3-461a-9844-52e69904da1b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:32:02.412454+00:00", "value": {"mitigation_remediation": ["Upgrade the Password Protected plugin to the latest released version that eliminates the exposed cookie handling.", "If an upgrade cannot be applied immediately, disable the 'Use Transient' option within the plugin\u2019s settings to prevent sensitive data from being stored in a manner exploitable by unauthenticated users.", "Consider disabling or replacing the plugin with a more secure access\u2011control solution until a proper fix is available."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "The issue affects installations of the Password Protected plugin \u2013 Lock Entire Site, Pages, Posts, Categories, and Partial Content \u2013 by the vendor Saadiqbal. All released versions up to and including version 2.7.7 are vulnerable. The plugin is a WordPress plugin that restricts access to site content, pages, and WooCommerce products; users who rely on it for site protection are impacted.", "description_and_impact": "The Password Protected plugin for WordPress is vulnerable through its password_protected_cookie function. Unauthenticated users can invoke this function to extract all protected site content when the 'Use Transient' option is enabled. The flaw allows an attacker to obtain sensitive information that should remain restricted, effectively bypassing the plugin\u2019s content\u2011level protection. The weakness is categorized as CWE\u2011863, reflecting an insufficiently limited functionality exposed to unauthorized users.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation of this flaw is currently unlikely, and it is not listed in the CISA KEV catalog. The known attack surface is a remote, unauthenticated web request to the plugin when the 'Use Transient' setting is active. An attacker would need network access to the WordPress site, but no authentication or prior setup is required, making the vulnerability potentially exploitable in production environments that rely on this plugin for access control."}}}}, "created": "2026-04-22T17:45:22.918169+00:00", "updated": "2026-04-22T17:45:22.918179+00:00", "vendors": []}