Cyber Resilience

CVE-2024-11282

Medium

Published: 07 January 2025

Published
07 January 2025
Modified
05 June 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0153 81.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11282 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wpchill Passster. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-11282 is a Sensitive Information Exposure vulnerability (CWE-200) in the Passster – Password Protect Pages and Content plugin for WordPress, affecting all versions up to and including 4.2.10. The flaw occurs via the WordPress core search feature, enabling the extraction of sensitive data from posts restricted to higher-level roles such as administrator. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. Exploitation allows them to retrieve sensitive information from protected posts that should only be accessible to administrators or other high-privilege roles.

Advisories reference a patch in the plugin's Trac repository at changeset 3211004 under content-protector, with further details available in Wordfence's threat intelligence report. Security practitioners should update to a version beyond 4.2.10 to mitigate the issue.

EU & UK References

Vulnerability details

The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.10 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract…

more

sensitive data from posts that have been restricted to higher-level roles such as administrator.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated network exploitation of public-facing WordPress plugin to bypass access controls and retrieve restricted sensitive data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13796Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2026-34297Shared CWE-200
CVE-2024-26480Shared CWE-200
CVE-2026-24498Shared CWE-200
CVE-2025-22828Shared CWE-200
CVE-2026-23659Shared CWE-200
CVE-2026-21940Shared CWE-200

Affected Assets

wpchill
passster
≤ 4.2.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in the Passster plugin via the available patch directly prevents unauthenticated extraction of sensitive data from protected posts through WordPress search.

prevent

Enforcing approved authorizations ensures the search feature respects role-based restrictions on sensitive administrator content, blocking unauthorized access.

prevent

Filtering information output from search results prevents disclosure of sensitive excerpts or metadata from protected posts to unauthenticated users.

References