CVE-2025-3923: 
WordPress vulnerability analysis and mitigation

The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 2.8.8. The vulnerability was discovered and disclosed on April 25, 2025, affecting the plugin's 'generateuniquestring' function (NVD).

The vulnerability stems from insufficient randomness in the generated file name within the 'generateuniquestring' function. This security flaw has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The weakness has been classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to potentially extract sensitive data, including files that are supposed to be protected by the plugin, if they can determine the file name. This exposure of protected files could lead to unauthorized access to sensitive information (NVD).

Users of the Prevent Direct Access – Protect WordPress Files plugin should upgrade to a version newer than 2.8.8 once available. Until then, website administrators should carefully monitor access to protected files and consider implementing additional security measures to protect sensitive content (NVD).