CVE-2025-10720

Vulnerability

Analysis

The WP Private Content Plus plugin for WordPress, versions 3.6.2 and earlier, implements a global content protection feature that is intended to restrict access to content via a password. However, the access control mechanism is flawed: it relies solely on the presence of an unprotected, client-side cookie to determine whether the correct password has been provided [1]. This means the server does not validate the cookie's value against any stored secret; it only checks that the cookie exists [1].

Exploitation

An unauthenticated attacker can bypass the password protection entirely by manually setting the required cookie in their browser. No authentication or prior access is required [1]. The attack does not require any special network position or user interaction; simply setting the cookie name (which is predictable) with an arbitrary value is sufficient to grant access to protected content [1]. The proof of concept confirms this trivial bypass is effective [1].

Impact

Successfully exploiting this vulnerability allows an attacker to view any content that is meant to be protected by the plugin's global password feature. This could include sensitive information, private pages, or restricted posts. The attacker does not need to know the legitimate password, and the bypass cannot be prevented by the site administrator without applying a fix [1].

Mitigation

As of the latest advisory, no fix is available for this vulnerability. The plugin is affected up to version 3.6.2, and users are advised to consider disabling the global content protection feature or replacing the plugin with an alternative that implements server-side access control checks [1]. The vulnerability has been publicly disclosed and is documented on the WPScan vulnerability database [1].