Unauthorized Access Weakness in Prevent Direct Access – Protect WordPress Files by WordPress
CVE-2025-3861
5.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 25 April 2025
What is CVE-2025-3861?
The Prevent Direct Access – Protect WordPress Files plugin experiences a significant vulnerability due to a misconfigured capability check in the 'pda_lite_custom_permission_check' function. This flaw, present in versions 2.8.6 to 2.8.8.2, allows authenticated users with Contributor-level permissions or higher to bypass intended restrictions, leading to unauthorized access and modification of media protection statuses. This can compromise the integrity of protected files, posing a potential risk to site security.
Affected Version(s)
Prevent Direct Access – Protect WordPress Files 2.8.6 <= 2.8.8.2