Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in WP Folio Team PPWP password-protect-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PPWP: from n/a through <= 1.9.15.
AnalysisAI
Unauthorized users in WP Folio Team's Password Protect Page plugin (versions up to 1.9.15) can bypass access controls due to missing authorization checks, allowing them to modify page content or cause service disruptions. Authenticated attackers can exploit this vulnerability to escalate privileges and manipulate access restrictions on protected pages. No patch is currently available.
Technical ContextAI
The vulnerability resides in the WP Folio Team PPWP WordPress plugin (identified via CPE cpe:2.3:a:wp_folio_team:ppwp:*:*:*:*:*:*:*:*), which provides password protection functionality for WordPress pages. The root cause is classified under CWE-862: Missing Authorization, indicating that the plugin fails to enforce proper access control checks before granting users access to protected content. Rather than a cryptographic flaw, this is an authorization logic defect where the plugin's access control mechanism either lacks proper validation of user credentials, fails to enforce security level restrictions consistently, or allows enumeration or bypass of the authentication mechanisms intended to protect sensitive pages. WordPress plugins implementing access control must verify user permissions at every entry point; this vulnerability suggests the PPWP plugin has gaps in its authorization enforcement, likely in the page rendering or shortcode processing code paths.
RemediationAI
Immediately upgrade the PPWP plugin to a patched version released after 1.9.15 by WP Folio Team. Check the official plugin page on WordPress.org or contact WP Folio Team for patch availability, as specific patch version numbers were not disclosed in the intelligence sources. Administrators should review all password-protected pages and their security configurations after upgrading to ensure proper authorization logic is in place. As a temporary workaround pending patching, restrict direct access to protected pages at the web server or reverse proxy level using IP allowlisting or require additional authentication layers (such as WordPress user login) before accessing password-protected content. Audit access logs for any unauthorized page access in the period prior to applying patches. Reference the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/password-protect-page/vulnerability/wordpress-ppwp-plugin-1-9-15-broken-access-control-vulnerability for detailed advisory information and patch announcements.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15927
GHSA-8qph-hrcc-w5cj