Published: 24 Apr 2025 | Last update: 24 Apr 2025 | Reading time: ~2 min
Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions in Prevent Direct Access Wordpress Plugin (CVE-2025-3861)
#wordpress #wordpress-plugin #prevent-direct-access #pda-lite
The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data due to a misconfigured capability check on the
pda_lite_custom_permission_checkfunction in versions 2.8.6 to 2.8.8.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to access and change the protection status of media.
Table of contents
Summary
- Product
- Prevent Direct Access – Protect WordPress Files
- Vendor
- WP Folio Team
- Active installations
- 10,000+
- Severity
- Medium
- Affected Version(s)
- 2.8.6 - 2.8.8.2
- Fixed version
- 2.8.8.3
- CVE
- CVE-2025-3861
- CVE Description
- The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the `pda_lite_custom_permission_check` function in versions 2.8.6 to 2.8.8.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to access and change the protection status of media.
- CWE
- CWE-863: Incorrect Authorization
CVSS 3.1 Score
Base Score: 5.4 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
| Metric | Value |
|---|---|
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | Low |
| User Interaction (UI) | None |
| Scope (S) | Unchanged |
| Confidentiality (C) | Low |
| Integrity (I) | Low |
| Availability (A) | None |
Vulnerability Details
Prevend Direct Access exposes 4 different REST api:
[
"/pda-lite/v1",
"/pda-lite/v1/files/(?P<id>\\d+)",
"/pda-lite/v1/private-urls/(?P<id>\\d+)",
"/pda-lite/v1/un-protect-files/(?P<id>\\d+)"
]
These APIs are intended to manage and restrict Media access to administrators or media owners only.
Each of them validates the privileges of the user who is interacting with the API via a custom callback called pda_lite_custom_permission_check:
/includes/pda_lite_api.php
...
register_rest_route(PDA_Lite_Constants::PREFIX_API_NAME, '/files/(?P<id>\d+)', array(
'methods' => 'POST',
'callback' => array($this, 'protect_files'),
'permission_callback' => array( $this, 'pda_lite_custom_permission_check' ),
));
...
register_rest_route(PDA_Lite_Constants::PREFIX_API_NAME, '/files/(?P<id>\d+)', array(
'methods' => 'GET',
'callback' => array($this, 'is_protected'),
'permission_callback' => array( $this, 'pda_lite_custom_permission_check' ),
));
...
public function pda_lite_custom_permission_check() {
return current_user_can('edit_posts') ||
current_user_can('manage_options');
}
In the pda_lite_custom_permission_check() function, authorization is granted if the user possesses either the manage_options or edit_post capability. However, according to the WordPress documentation 1, the edit_post capability is available to Contributor, Author, and Editor roles — not just Administrators.
As a result, users with lower privileges can access the relevant APIs and perform various media-related actions, potentially bypassing media protection mechanisms.