Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network vector for WordPress web interface; PR:L confirms Contributor auth required; only low integrity impact as IDOR enables unauthorized modification of protection objects without confidentiality or availability consequence.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Contributor Insecure Direct Object References (IDOR) in PPWP <= 1.9.19 versions.
AnalysisAI
Password Protect WordPress Page (PPWP) plugin versions up to and including 1.9.19 expose an Insecure Direct Object Reference (IDOR) flaw exploitable by authenticated Contributors, enabling unauthorized modification of password-protected page objects outside the attacker's authorized scope. The plugin fails to validate that the user-supplied object reference belongs to a resource the requesting Contributor is authorized to manage, as classified under CWE-639. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation strictly requires a valid WordPress Contributor-level (or equivalent low-privilege) account on the specific target site - confirmed by the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.3 Medium score reflects the bounded impact well: the attack is network-accessible with low complexity (AV:N/AC:L), requires only Contributor-level authentication (PR:L), needs no user interaction (UI:N), and produces only low integrity impact with no confidentiality or availability consequence (C:N/I:L/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or obtains a Contributor-level account on a target WordPress site running PPWP ≤1.9.19 crafts HTTP requests that reference the object IDs of password-protected pages owned by other users or administrators. By submitting these requests with predictable or enumerated IDs, the attacker bypasses the plugin's authorization check and modifies or removes password protections on pages outside their own scope, potentially exposing restricted content to unauthenticated visitors. … |
| Remediation | Users should upgrade the PPWP plugin to a version beyond 1.9.19 as soon as a patched release is confirmed via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/password-protect-page/vulnerability/wordpress-ppwp-plugin-1-9-19-insecure-direct-object-references-idor-vulnerability - a specific patched version number is not confirmed in the available source data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39750
GHSA-xr34-4j63-xfh6