CVE-2025-3861

The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the 'pda_lite_custom_permission_check' function in versions 2.8.6 to 2.8.8.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to access and change the protection status of media.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/prevent-direct-access/tags/2.8.8.2/includes/pda_lite_api.php#L71
https://plugins.trac.wordpress.org/changeset/3279923/
https://www.wordfence.com/threat-intel/vulnerabilities/id/2ed83916-3cf7-4fc6-a16f-45b40cedc721?source=cve

Configurations

No configuration.

History

29 Apr 2025, 13:52

Type	Values Removed	Values Added
Summary		(es) El complemento Prevent Direct Access – Protect WordPress Files para WordPress es vulnerable al acceso y la modificación no autorizados de datos debido a una comprobación de capacidad incorrecta en la función "pda_lite_custom_permission_check" en las versiones 2.8.6 a 2.8.8.2. Esto permite que atacantes autenticados, con acceso de colaborador o superior, accedan y modifiquen el estado de protección de los medios.

25 Apr 2025, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-25 06:15

Updated : 2025-04-29 13:52

NVD link : CVE-2025-3861

Mitre link : CVE-2025-3861

CVE.ORG link : CVE-2025-3861

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

5.4 /10