CVE-2024-11282 Overview
CVE-2024-11282 affects the Passster – Password Protect Pages and Content plugin for WordPress, developed by wpchill. The vulnerability allows unauthenticated attackers to retrieve content from protected posts by leveraging the WordPress core search feature. All plugin versions up to and including 4.2.10 are affected.
The flaw defeats the plugin's primary purpose: restricting access to posts assigned to higher-privilege roles such as administrator. Attackers can extract excerpts and content fragments from protected posts without authentication, bypassing the password and role-based controls the plugin enforces.
Critical Impact
Unauthenticated attackers can extract sensitive content from posts restricted to administrator or higher-level roles by querying the WordPress core search endpoint.
Affected Products
- Passster – Password Protect Pages and Content plugin for WordPress
- All versions up to and including 4.2.10
- Sites using Passster to restrict posts to administrator or other elevated roles
Discovery Timeline
- 2025-01-07 - CVE-2024-11282 published to NVD
- 2025-06-05 - Last updated in NVD database
Technical Details for CVE-2024-11282
Vulnerability Analysis
The Passster plugin restricts access to posts and pages using passwords or role-based rules. The plugin filters direct page requests, but does not adequately filter results returned by the WordPress core search feature. When an unauthenticated visitor submits a query through the built-in ?s= search parameter, WordPress returns matching posts including those the plugin is supposed to protect.
The issue is classified under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. The exposure is limited to confidentiality — integrity and availability are unaffected. The attack requires no privileges, no user interaction, and is performed entirely over the network.
EPSS data indicates a probability of 1.529% with a percentile of 81.6, reflecting active interest in vulnerabilities of this class against WordPress plugins.
Root Cause
The plugin enforces access controls at the page rendering layer but does not register filters on the WordPress search query (pre_get_posts or equivalent hooks) to exclude protected content. As a result, the WordPress query loop returns the title, excerpt, and indexable content of restricted posts in search results pages.
Attack Vector
An unauthenticated attacker issues HTTP GET requests to the target site's search endpoint with crafted keywords. The response renders titles and excerpts from posts intended to be hidden by Passster. By iterating through targeted keywords, the attacker reconstructs portions of the protected content. No authentication, session token, or social engineering is required. See the Wordfence Vulnerability Report for technical details.
Detection Methods for CVE-2024-11282
Indicators of Compromise
- High volumes of unauthenticated GET requests to /?s= or /search/ from a single IP or narrow IP range
- Search queries enumerating keywords likely to match restricted internal content
- Access logs showing search result hits referencing post IDs associated with Passster-protected pages
Detection Strategies
- Audit web server access logs for repeated search queries targeting the WordPress search endpoint without prior authentication
- Correlate referrer and user-agent patterns against expected legitimate search traffic
- Compare the list of Passster-protected post IDs against post IDs returned in indexable search responses
Monitoring Recommendations
- Alert on spikes in /?s= requests originating from non-authenticated sessions
- Monitor the installed version of the Passster plugin against the fixed release across all WordPress instances
- Track outbound responses containing excerpts of posts marked as protected
How to Mitigate CVE-2024-11282
Immediate Actions Required
- Update the Passster plugin to the version published in WordPress plugin changeset 3211004 or later
- Inventory all WordPress sites using Passster and confirm the installed version is above 4.2.10
- Review search-engine and CDN caches for leaked excerpts of protected content and purge cached entries
Patch Information
The vendor released a fix in the Passster plugin repository. The relevant code change is recorded in WordPress plugin changeset 3211004. The patch adjusts query filtering so that posts protected by Passster are excluded from WordPress core search results.
Workarounds
- Disable the WordPress core search feature on sites that rely on Passster to protect sensitive content until the plugin can be updated
- Add a custom pre_get_posts filter to exclude protected post IDs from search results
- Restrict access to the search endpoint at the web server or WAF layer for unauthenticated users
# Update Passster via WP-CLI on affected hosts
wp plugin update content-protector --version=latest
wp plugin get content-protector --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
