{"api_version":"1","generated_at":"2026-04-23T06:30:53+00:00","cve":"CVE-2024-0620","urls":{"html":"https://cve.report/CVE-2024-0620","api":"https://cve.report/api/cve/CVE-2024-0620.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-0620","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-0620"},"summary":{"title":"PPWP – Password Protect Pages <= 1.8.9 -  Protection Mechanism Bypass","description":"The PPWP – Password Protect Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.9 via API. This makes it possible for unauthenticated attackers to obtain post titles, IDs, slugs as well as other information including for password-protected posts.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2024-02-29 01:43:23","updated_at":"2026-04-08 18:18:54"},"problem_types":["CWE-200","NVD-CWE-noinfo","CWE-200 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/41299927-2ed9-4cbe-b2b0-f306dc0e4a58?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/41299927-2ed9-4cbe-b2b0-f306dc0e4a58?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3032733%40password-protect-page%2Ftrunk&old=3010000%40password-protect-page%2Ftrunk&sfp_email=&sfph_mail=","name":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3032733%40password-protect-page%2Ftrunk&old=3010000%40password-protect-page%2Ftrunk&sfp_email=&sfph_mail=","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-0620","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0620","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"buildwps","product":"PPWP – Password Protect Pages","version":"affected 1.8.9 semver","platforms":[]},{"source":"ADP","vendor":"bwps","product":"ppwp","version":"affected 1.8.9 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2024-02-07T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Francesco Carlucci","lang":"en"}],"nvd_cpes":[{"cve_year":"2024","cve_id":"620","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"passwordprotectwp","cpe5":"password_protect_wordpress","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-01T18:11:35.681Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/41299927-2ed9-4cbe-b2b0-f306dc0e4a58?source=cve"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3032733%40password-protect-page%2Ftrunk&old=3010000%40password-protect-page%2Ftrunk&sfp_email=&sfph_mail="}],"title":"CVE Program Container"},{"affected":[{"cpes":["cpe:2.3:a:bwps:ppwp:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"ppwp","vendor":"bwps","versions":[{"lessThanOrEqual":"1.8.9","status":"affected","version":"0","versionType":"semver"}]}],"metrics":[{"other":{"content":{"id":"CVE-2024-0620","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-08-07T17:31:44.966976Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-08-07T17:49:02.616Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"PPWP – Password Protect Pages","vendor":"buildwps","versions":[{"lessThanOrEqual":"1.8.9","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Francesco Carlucci"}],"descriptions":[{"lang":"en","value":"The PPWP – Password Protect Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.9 via API. This makes it possible for unauthenticated attackers to obtain post titles, IDs, slugs as well as other information including for password-protected posts."}],"metrics":[{"cvssV3_1":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T16:48:36.172Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/41299927-2ed9-4cbe-b2b0-f306dc0e4a58?source=cve"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3032733%40password-protect-page%2Ftrunk&old=3010000%40password-protect-page%2Ftrunk&sfp_email=&sfph_mail="}],"timeline":[{"lang":"en","time":"2024-02-07T00:00:00.000Z","value":"Disclosed"}],"title":"PPWP – Password Protect Pages <= 1.8.9 -  Protection Mechanism Bypass"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2024-0620","datePublished":"2024-02-20T18:56:27.217Z","dateReserved":"2024-01-16T18:25:24.705Z","dateUpdated":"2026-04-08T16:48:36.172Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-02-29 01:43:23","lastModifiedDate":"2026-04-08 18:18:54","problem_types":["CWE-200","NVD-CWE-noinfo","CWE-200 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:passwordprotectwp:password_protect_wordpress:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"1.9.0","matchCriteriaId":"579C0428-FCC3-4DC3-B50A-BB8854B10D3B"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"620","Ordinal":"1","Title":"PPWP – Password Protect Pages <= 1.8.9 -  Protection Mechanism B","CVE":"CVE-2024-0620","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"620","Ordinal":"1","NoteData":"The PPWP – Password Protect Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.9 via API. This makes it possible for unauthenticated attackers to obtain post titles, IDs, slugs as well as other information including for password-protected posts.","Type":"Description","Title":"PPWP – Password Protect Pages <= 1.8.9 -  Protection Mechanism B"}]}}}