Unauthorized Access Weakness in Prevent Direct Access – Protect WordPress Files by WordPress
CVE-2025-3861

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Prevent Direct Access – Protect WordPress Files
Vendor: CVE Published:; 25 April 2025

What is CVE-2025-3861?

The Prevent Direct Access – Protect WordPress Files plugin experiences a significant vulnerability due to a misconfigured capability check in the 'pda_lite_custom_permission_check' function. This flaw, present in versions 2.8.6 to 2.8.8.2, allows authenticated users with Contributor-level permissions or higher to bypass intended restrictions, leading to unauthorized access and modification of media protection statuses. This can compromise the integrity of protected files, posing a potential risk to site security.

Affected Version(s)

Prevent Direct Access – Protect WordPress Files 2.8.6 <= 2.8.8.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/prevent-direct...

https://plugins.trac.wordpress.org/changeset/3279923/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 25, 2025
Vulnerability Reserved
Apr 21, 2025

Credit

Mattia Brollo