CVE-2025-5998 – The PPWP WordPress plugin before version 1.9.11... (How to Fix)

Q: What is the severity of CVE-2025-5998?

CVE-2025-5998 has a CVSS score of 6.5 (MEDIUM). The PPWP WordPress plugin before version 1.9.11 has an authorization bypass vulnerability where users with subscriber or higher roles can access password-protected content via the REST API. This affects all WordPress sites using vulnerable versions of the PPWP plugin.

📋 TL;DR

The PPWP WordPress plugin before version 1.9.11 has an authorization bypass vulnerability where users with subscriber or higher roles can access password-protected content via the REST API. This affects all WordPress sites using vulnerable versions of the PPWP plugin.

💻 Affected Systems

Products:

PPWP – Password Protect Pages WordPress plugin

Versions: All versions before 1.9.11

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with REST API enabled (default) and the PPWP plugin installed.

📦 What is this software?

Password Protect Wordpress by Passwordprotectwp

View all CVEs affecting Password Protect Wordpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Subscriber-level users could access sensitive content intended to be password-protected, potentially exposing confidential information, internal documents, or premium content.

🟠

Likely Case

Subscribers or higher roles unintentionally accessing content they shouldn't see, leading to information disclosure of protected pages.

🟢

If Mitigated

Minimal impact if proper access controls and monitoring are in place to detect unauthorized access attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires at least subscriber-level access. Attackers could create subscriber accounts or compromise existing ones.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.11

Vendor Advisory: https://wpscan.com/vulnerability/17bad181-6cea-445e-b91c-22415d90743e/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'PPWP – Password Protect Pages'. 4. Click 'Update Now' if available, or download version 1.9.11+ from WordPress repository. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable REST API for unauthenticated users

all

Restrict REST API access to authenticated users only to reduce attack surface

Add to wp-config.php: define('REST_API_ENABLED', false);

Temporarily disable PPWP plugin

all

Disable the vulnerable plugin until patched

wp plugin deactivate password-protect-pages

🧯 If You Can't Patch

Restrict user registration to prevent new subscriber accounts
Implement additional access controls at web server level for protected content

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for PPWP version. If version is below 1.9.11, you are vulnerable.

Check Version:

wp plugin get password-protect-pages --field=version

Verify Fix Applied:

After updating, verify PPWP plugin version shows 1.9.11 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual REST API requests to protected content endpoints
Multiple failed authentication attempts followed by successful API access

Network Indicators:

HTTP requests to /wp-json/ endpoints accessing protected content without proper authorization

SIEM Query:

source="wordpress" AND (uri_path="/wp-json/*" AND status=200) AND user_role="subscriber"

📊 Metadata

CVE ID: CVE-2025-5998

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score: 0.04% exploit probability (12.3th percentile)

Published: August 14, 2025

Last Updated: August 18, 2025

🔗 References

https://wpscan.com/vulnerability/17bad181-6cea-445e-b91c-22415d90743e/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/17bad181-6cea-445e-b91c-22415d90743e/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON