Skip to main content

PPWP WordPress Plugin EUVDEUVD-2026-39750

| CVE-2026-57634 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-26 audit@patchstack.com GHSA-xr34-4j63-xfh6
4.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network vector for WordPress web interface; PR:L confirms Contributor auth required; only low integrity impact as IDOR enables unauthorized modification of protection objects without confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:13 vuln.today

DescriptionCVE.org

Contributor Insecure Direct Object References (IDOR) in PPWP <= 1.9.19 versions.

AnalysisAI

Password Protect WordPress Page (PPWP) plugin versions up to and including 1.9.19 expose an Insecure Direct Object Reference (IDOR) flaw exploitable by authenticated Contributors, enabling unauthorized modification of password-protected page objects outside the attacker's authorized scope. The plugin fails to validate that the user-supplied object reference belongs to a resource the requesting Contributor is authorized to manage, as classified under CWE-639. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register Contributor-level WordPress account
Delivery
Enumerate target page or protection object IDs
Exploit
Send crafted request referencing out-of-scope object ID
Execution
Bypass plugin IDOR authorization check
Impact
Modify or remove password protection on target page

Vulnerability AssessmentAI

Exploitation Exploitation strictly requires a valid WordPress Contributor-level (or equivalent low-privilege) account on the specific target site - confirmed by the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.3 Medium score reflects the bounded impact well: the attack is network-accessible with low complexity (AV:N/AC:L), requires only Contributor-level authentication (PR:L), needs no user interaction (UI:N), and produces only low integrity impact with no confidentiality or availability consequence (C:N/I:L/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or obtains a Contributor-level account on a target WordPress site running PPWP ≤1.9.19 crafts HTTP requests that reference the object IDs of password-protected pages owned by other users or administrators. By submitting these requests with predictable or enumerated IDs, the attacker bypasses the plugin's authorization check and modifies or removes password protections on pages outside their own scope, potentially exposing restricted content to unauthenticated visitors. …
Remediation Users should upgrade the PPWP plugin to a version beyond 1.9.19 as soon as a patched release is confirmed via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/password-protect-page/vulnerability/wordpress-ppwp-plugin-1-9-19-insecure-direct-object-references-idor-vulnerability - a specific patched version number is not confirmed in the available source data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy