Bypass password protected posts via GET variable

The check for a post password happens (for some reason) inside get_the_content(), which seems legit, but actually mixes together two separate concerns. You were right with the statement that there is no way to work around get_the_content() displaying the password form. Here’s what the check for the password does in core in detail:

if ( empty( $post->post_password ) )
     return false;

if ( ! isset( $_COOKIE['wp-postpass_' . COOKIEHASH] ) )
     return true;

require_once ABSPATH . WPINC . '/class-phpass.php';
$hasher = new PasswordHash( 8, true );
$hash = wp_unslash( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
if ( 0 !== strpos( $hash, '$P$B' ) )
     return true;
return ! $hasher->CheckPassword( $post->post_password, $hash );

As you can see, the password gets check against a Cookie stored at the users machine.

To circumvent the post password, you will actually have to give the user explicit permission by setting this cookie. Core does it the following way:

setcookie(
    'wp-postpass_' . COOKIEHASH,
    $hasher->HashPassword( wp_unslash( $_POST['post_password'] ) ),
    $expire,
    COOKIEPATH
);

when you look at the_post_password(), which is used to retrieve the (plain text password), then you will find that it does nothing aside from escaping the argument for the users safety:

esc_attr( $post->post_password )

Now you can combine this and set the Cookie before you display the content in your template:

// Your custom check for the `$_GET` content
// …also check if there in fact is a password
// …and if the user is a repeated visitor, do not set the Cookie again
if (
        isset( $_GET['circumvent'] ) 
        and 'disable-pass' === $_GET['circumvent'] 
        and isset( $post->post_password )
        and ! isset( 'wp-postpass_'.COOKIEHASH )
    ) {
    // Finally we use the plain text password to set the Cookie
    // as if the user would have entered it into the password form
    setcookie(
        'wp-postpass_'.COOKIEHASH,
        $hasher->HashPassword( wp_unslash( esc_attr( $post->post_password ) ) ),
        $expire,
        COOKIEPATH
    );
}
// Now display the content:
the_content();

Additional information about Post Passwords in this article I wrote as much of this concept is known very little and you might want to account for some of those details.

Related Posts:

  1. How to change user password with wp-cli?
  2. wordpress redirect after password reset
  3. Loosen/disable password policy
  4. Password protecting a page
  5. How to save Admin FTP password
  6. How to add Wp_error using lostpassword_post hook when validating custom field?
  7. Why do generated passwords start/end with spaces?
  8. Duplicate hash method for password in .NET
  9. Hide password protected posts
  10. Safe to store SMTP password in wp-config.php?
  11. Access code/password only restricts page access, no user registration..?
  12. PasswordHash not found in namespace
  13. Force all users in MU to change their passwords
  14. Check Password Reset Key Not Woking
  15. Reset password – set minimum length for new password
  16. How to shorten length of auto generated password sent during registration?
  17. wp_hash_password unexpected behaviour
  18. Redirect a password protected page?
  19. Lost password link is redirecting to /shop/my-account/lost-password/
  20. WordPress: force users to change password on first login
  21. Can’t login to wordpress despite changing password to something known directly in MySQL or using “Password Reset by Email” feature
  22. Change default recovery link expiration time
  23. Lost password link redirects to my-account/lost-password/,how to fix it back to default lost password
  24. Set content type to HTML for lost password email only
  25. Where is the reset password key stored/generated?
  26. Password protecting template, secured content not showing if even password is right
  27. How validate usernames/passwords against WP’s database?
  28. Make post password required to publish
  29. Add error message on password protected pages
  30. User password field is empty
  31. Get plain password on register
  32. post_password_required() not recognizing cookie set with correct password
  33. How Authentication in wordpress works? wp_authenticate_username_password()
  34. Password protect the site (without htaccess or membership)
  35. Password Protected page not asking for a password
  36. I would like to password protect my entire WordPress site (ip validated), except for one page
  37. Custom login form for front-end user as well as admin
  38. how to remotely check a username / password from within a plugin
  39. Password changed [duplicate]
  40. How to get user password before being encrypted outside the wordpress core once add a new user from dashboard?
  41. wp_hash_password create a different hash everytime
  42. Custom password form allows unlock two posts with the same password
  43. How to change password
  44. Password protect pages – allow more than one password
  45. password recovery key is invalid on custom reset
  46. Password Protected Post is invisible until you login
  47. Send password to user instead of reset password link
  48. Protect Passwords in wp_users with stronger protection than MD5
  49. How secure is a wp-config file?
  50. How to check user’s password?
  51. How to Remove or Deactivate “Application Passwords” in WordPress
  52. What’s the algorithm to verify user password?
  53. How to change “Reset Password” text on submit button
  54. resend user login & password with custom button
  55. WordPress admin creation through phpmyadmin not working
  56. How to show my wordpress admin username & password?
  57. Why does hashing a password result in different hashes, each time?
  58. Can’t alter $lostpassword_url
  59. How to initiate password reset flow by code
  60. Change password fields
  61. How to read third party cookie to access password protected pages
  62. Ask logged in user to re-enter password to access page “x”
  63. Password protected sites
  64. 2 accounts under same email preventing me from loging in
  65. How would I create a Password Protected Page with Content on it?
  66. Site only for users authenticated by different PHP application
  67. wordpress custom password change problem
  68. Allow all reset password links within the past 24 hours to be valid and accepted
  69. WooCommerce Lost Password reset goes to 404
  70. I need help with wp_lostpassword, wp_register and wp_login_form
  71. Create Member who can’t be changed
  72. I can’t recover my password
  73. $expiration_duration = apply_filters( ‘password_reset_expiration’, DAY_IN_SECONDS );
  74. Frontend custom forgot password page
  75. Entering a WP site with a SMS code
  76. Password Protect content() on homepage
  77. Function called by password_reset action passed only 1 argument instead of 2 in PHP 7.2.11
  78. How to set password from frontend if have activation key and user login in url in wordpress?
  79. Allow users from my ASP.Net MVC site to access my private WordPress site
  80. Lost Password redirect to My Account
  81. WordPress Protected Page Redirects to PDF
  82. Not able to log for the first time on a salted WordPress by creating pwd on BD
  83. Bypass a WordPress Password Protected Post or Page via a URL
  84. Custom page password recovery
  85. Password Protected Logout Button Not Working
  86. Can I use core passworded page/post functions outside of wp-login.php?
  87. Is it possible to display newly generated password after wp_generate_password()?
  88. How do I password protect a page of posts on WordPress?
  89. forgot password
  90. mysql update user’s password and activation key
  91. Is it possible to have users register without having a password?
  92. Password Protection for posts and pages [duplicate]
  93. How WordPress hashes passwords
  94. WordPress reset password button not working
  95. Override the default password length when creating or updating a user profile
  96. Why can’t I create an Application Password?
  97. FTP Password (not private key-value pair) for EC2 Instance
  98. How to Disable Pre-population of Password on Password Reset
  99. Bypass a WordPress Password Protected Page via url
  100. My WordPress password for admin account is changing automatically

Leave a Comment