CVE-2025-9034
Description
The Wp Edit Password Protected WordPress plugin before 1.3.5 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Wp Edit Password Protected plugin before 1.3.5 lacks parameter validation, allowing an open redirect vulnerability.
The Wp Edit Password Protected WordPress plugin, prior to version 1.3.5, fails to validate a parameter before redirecting the user to its value. This unvalidated redirect functionality introduces an open redirect vulnerability, classified as CWE-601 [1].
Exploitation occurs when an attacker crafts a malicious URL that passes an external destination through the vulnerable parameter. The plugin then redirects the visiting user to that attacker-controlled site. No authentication is required, making the attack accessible to unauthenticated users who click on a crafted link [1].
A successful open redirect can be used in phishing campaigns to trick users into visiting malicious sites that appear legitimate, as the initial domain belongs to a trusted WordPress site. The vulnerability has a CVSS score of 3.1 (Low) under EPSS scoring, but the impact depends on the trust users place in the affected site [1].
The vulnerability has been fixed in version 1.3.5 of the plugin. Users are strongly advised to update to the latest version to eliminate the open redirect risk. The issue was reported by researcher Bob Matyas and published on August 21, 2025 [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.3.5+ 1 more
- (no CPE)range: <1.3.5
- (no CPE)range: <1.3.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.