CVE-2025-10720 | THREATINT

Description

The WP Private Content Plus through 3.6.2 provides a global content protection feature that requires a password. However, the access control check is based only on the presence of an unprotected client-side cookie. As a result, an unauthenticated attacker can completely bypass the password protection by manually setting the cookie value in their browser.

PUBLISHED Reserved 2025-09-19 | Published 2025-10-13 | Updated 2025-10-13 | Assigner WPScan

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

affected

Any version

affected

Credits

Lorenzo Camilli finder

WPScan coordinator

References

wpscan.com/...rability/5295e8da-7aba-4322-981b-80d692b3bc35/ exploit vdb-entry technical-description

cve.org (CVE-2025-10720)

nvd.nist.gov (CVE-2025-10720)

Download JSON