CVE-2024-0656 in Password Protected Plugin
Summary
by MITRE • 02/29/2024
The Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Captcha Site Key in all versions up to, and including, 2.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2024-0656 affects the Password Protected plugin for WordPress, specifically targeting versions up to and including 2.6.6. This plugin serves as a content protection mechanism that allows administrators to password protect WordPress content, making it a critical component for site security. The flaw manifests in the plugin's handling of the Google Captcha Site Key parameter, which is used to integrate reCAPTCHA functionality for additional security measures. This vulnerability represents a significant security risk as it allows for stored cross-site scripting attacks that can persist across user sessions and potentially compromise entire WordPress installations.
The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. The Google Captcha Site Key parameter, which should be treated as untrusted user input, is not properly validated or escaped before being stored in the database and subsequently rendered in web pages. This failure to implement proper input validation creates a persistent XSS vector where malicious scripts can be stored in the plugin's configuration and executed whenever affected pages are accessed. The vulnerability specifically impacts multi-site WordPress installations where the unfiltered_html capability has been disabled, making it particularly dangerous in enterprise environments where such restrictions are commonly implemented to prevent script injection attacks.
The operational impact of this vulnerability is severe for WordPress administrators who rely on the Password Protected plugin for content security. An authenticated attacker with administrator-level privileges can inject malicious JavaScript code through the Google Captcha Site Key field, which will then execute in the context of any user who accesses pages containing the injected content. This stored XSS vulnerability can be leveraged to perform various malicious activities including session hijacking, credential theft, data exfiltration, and privilege escalation attacks. The attack vector requires only administrative access to the WordPress installation, making it particularly dangerous in environments where administrators may have elevated privileges or where account compromise occurs through other means. The vulnerability's impact is amplified in multi-site installations where a single compromised plugin can affect multiple WordPress sites within the same network.
Mitigation strategies for CVE-2024-0656 should prioritize immediate plugin updates to versions that address the stored XSS vulnerability. Organizations should implement the principle of least privilege by restricting administrator access to only necessary users and regularly auditing user permissions within WordPress installations. Input validation should be strengthened by implementing proper sanitization routines that filter and escape all user-provided data before storage, following established security practices outlined in the OWASP Top Ten and CWE-79 which specifically addresses cross-site scripting vulnerabilities. Network-based security controls including web application firewalls and content filtering systems should be configured to monitor for suspicious script injection patterns and prevent exploitation attempts. Additionally, regular security audits of WordPress plugins and themes should be conducted to identify and remediate similar vulnerabilities, with particular attention to plugins handling sensitive configuration parameters like API keys and captcha site keys. The vulnerability's classification under CWE-79 and its potential mapping to ATT&CK techniques related to command and control communications and credential access underscores the need for comprehensive defensive measures beyond simple patching. Organizations should also consider implementing browser security headers and Content Security Policies to provide additional protection against script execution attacks.