CVE-2024-11282
Published: 07 January 2025
Description
The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.10 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
Security Summary
CVE-2024-11282 is a Sensitive Information Exposure vulnerability (CWE-200) in the Passster – Password Protect Pages and Content plugin for WordPress, affecting all versions up to and including 4.2.10. The flaw occurs via the WordPress core search feature, enabling the extraction of sensitive data from posts restricted to higher-level roles such as administrator. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. Exploitation allows them to retrieve sensitive information from protected posts that should only be accessible to administrators or other high-privilege roles.
Advisories reference a patch in the plugin's Trac repository at changeset 3211004 under content-protector, with further details available in Wordfence's threat intelligence report. Security practitioners should update to a version beyond 4.2.10 to mitigate the issue.
Details
- CWE(s)