CVE-2026-32562

Vulnerability

Overview The PPWP WordPress plugin, used to password-protect pages, contains a missing authorization vulnerability in versions up to and including 1.9.15. This flaw allows an attacker to bypass access controls without proper authentication, effectively exposing protected content.

Exploitation

Details The vulnerability can be exploited remotely without any prior authentication or user interaction. Attackers can send crafted requests to access pages that are intended to be restricted by a password. Given its simplicity, this issue is known to be exploited in mass campaigns, targeting thousands of sites simultaneously [1].

Impact

Successful exploitation enables an attacker to view sensitive content that should be password-protected. This could include private information, business data, or any content the site owner intended to restrict. The CVSS v3 severity is 5.4 (Medium), but the ease of exploitation and active weaponization elevate the risk.

Mitigation

The vendor has released version 1.9.16 which fixes the authorization flaw. Users are strongly advised to update immediately. The vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild [1]. If updating is not possible, implementing a web application firewall rule or restricting access to the plugin's functionality can serve as a temporary workaround.