Vulnerabilities and security researches forprevent-direct-access prevent-direct-access

Apr 27, 2025

CVE, Research URL: CVE-2025-3861
Home page URL: Security reports for Prevent Direct Access – Protect WordPress Files
Application: Prevent Direct Access – Protect WordPress Files
Date: Apr 25, 2025
Research Description: The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the 'pda_lite_custom_permission_check' function in versions 2.8.6 to 2.8.8.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to access and change the protection status of media.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2025-3923
Home page URL: Security reports for Prevent Direct Access – Protect WordPress Files
Application: Prevent Direct Access – Protect WordPress Files
Date: Apr 25, 2025
Research Description: The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.8 via the 'generate_unique_string' due to insufficient randomness of the generated file name. This makes it possible for unauthenticated attackers to extract sensitive data including files protected by the plugin if the attacker can determine the file name.
Affected versions: Min -, max -.
Status: vulnerable