Password Protected Vulnerability – Authenticated (Admin+) Stored Cross-Site Scripting – CVE-2024-0656 | WordPress Plugin Vulnerability Report

Plugin Name: Password Protected

Key Information:

  • Software Type: Plugin
  • Software Slug: password-protected
  • Software Status: Active
  • Software Author: wpexpertsio
  • Software Downloads: 4,493,510
  • Active Installs: 400,000
  • Last Updated: February 19, 2024
  • Patched Versions: 2.6.7
  • Affected Versions: <= 2.6.6

Vulnerability Details:

  • Name: Password Protected <= 2.6.6 - Authenticated (Admin+) Stored Cross-Site Scripting
  • Title: Authenticated (Admin+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • CVE: CVE-2024-0656
  • CVSS Score: 4.4 (Medium)
  • Publicly Published: February 19, 2024
  • Researcher: Felipe Restrepo Rodriguez
  • Description: The Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Captcha Site Key in all versions up to, and including, 2.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.


The Password Protected plugin for WordPress has a vulnerability in versions up to and including 2.6.6 that allows authenticated administrators to inject arbitrary web scripts that will execute when users access affected pages. This cross-site scripting vulnerability has been patched in version 2.6.7.

Detailed Overview:

A vulnerability discovered by researcher Felipe Restrepo Rodriguez makes it possible for authenticated WordPress admins using the Password Protected plugin (v2.6.6 and earlier) to store malicious scripts in the Google Captcha Site Key field. Due to insufficient sanitization of this input field and lack of output escaping on the front-end, these scripts will then execute whenever a user visits an affected page. This exposes users to potential phishing, session hijacking, malware injection and other browser-based attacks. The issue only applies to multi-site installations and sites where the unfiltered_html capability has been disabled. It has been resolved in Password Protected version 2.6.7 through improved input validation and escaping.

Advice for Users:

  1. Immediate Action: Update to Password Protected version 2.6.7 as soon as possible.
  2. Check for Signs of Compromise: Review your Google Captch Site Key for any unauthorized scripts. Also check pages where Password Protected is active for compromised content.
  3. Alternate Plugins: Consider using alternative plugins like Content Control or Membership Plugins by Justin Tadlock for restricting access to content.
  4. Stay Updated: Subscribe to plugin changelogs and announcements to stay on top of patches for vulnerabilities.


The quick response from the Password Protected developers to patch this stored XSS vulnerability is a great example of responsible disclosure and software security practices. Users should ensure they are running the latest version to prevent malicious scripts from compromising their sites.


Detailed Report:

Keeping your WordPress website secure should be a top priority – after all, you don’t want your site compromised or your visitors exposed to threats. Unfortunately, vulnerabilities in widely-used plugins like Password Protected crop up more often than we’d like. Password Protected is an extremely popular plugin with over 4 million downloads to date that allows site owners to easily restrict access to content. A serious vulnerability, now catalogued as CVE-2024-0656, was recently disclosed that makes authenticated users with admin access able to inject malicious scripts into web pages protected by the plugin.

Specifically, the issue lies in insufficient validation of the Google Captcha Site Key field, which accepts scripts that are then stored and executed whenever a user visits a page protected by the plugin. This could enable attackers who gain admin access to steal user sessions, distribute malware payloads to your visitors via compromised pages, or leverage your site for widespread phishing campaigns. According to publicly available data, over 400,000 WordPress sites with active installs of Password Protected may be affected.

The developer has released Password Protected version 2.6.7 to fully patch and resolve this stored cross-site scripting (XSS) vulnerability. However, as a site owner you need to manually update your install for the fix to take effect. To check if your site may be at risk, look at your list of active plugins and see if you have any release of Password Protected before 2.6.7 active. Those previous versions are conclusively vulnerable based on analysis from the security researcher who discovered the issue.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Password Protected Vulnerability – Authenticated (Admin+) Stored Cross-Site Scripting – CVE-2024-0656 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment