CVE-2025-3923 is a vulnerability identified in the WordPress plugin "Prevent Direct Access – Protect WordPress Files" developed by buildwps. This plugin is designed to protect sensitive files uploaded to WordPress sites by restricting direct access to them. The vulnerability affects all versions up to and including 2.8.8. The root cause is insufficient randomness in the 'generate_unique_string' function responsible for creating the filenames of protected files. Because the generated filenames lack sufficient entropy, an unauthenticated attacker can potentially predict or enumerate these filenames. If successful, the attacker can bypass the plugin's protections and access sensitive files that were intended to be shielded from public access. This exposure constitutes a CWE-200 weakness, indicating sensitive information is disclosed to unauthorized actors. The vulnerability does not require authentication or user interaction, which lowers the barrier for exploitation. Although no known exploits are currently reported in the wild, the weakness in filename generation randomness presents a clear attack vector. The plugin is widely used in WordPress environments to secure media and document files, making the scope of affected systems potentially large. Since the plugin protects sensitive files, the confidentiality impact is significant, while integrity and availability impacts are minimal. The vulnerability was published on April 25, 2025, and has been enriched by CISA, indicating recognition by cybersecurity authorities. No patch links are currently provided, suggesting that users must monitor vendor updates closely or consider alternative mitigations until a fix is released.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive files hosted on WordPress sites using the affected plugin. Many European businesses, government agencies, and NGOs rely on WordPress for content management and may use this plugin to protect confidential documents, internal reports, or personal data. Exposure of such files could lead to data breaches violating GDPR and other privacy regulations, resulting in legal penalties and reputational damage. The ease of exploitation without authentication increases the threat level, especially for public-facing websites. Attackers could harvest sensitive intellectual property, customer data, or internal communications. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach alone can have severe operational and compliance consequences. Additionally, the potential for automated scanning and exploitation means that mass data leakage could occur rapidly if the vulnerability is widely present and unpatched. Organizations with sensitive or regulated data hosted on WordPress sites should consider this a significant risk vector.

1. Immediate mitigation should include disabling or uninstalling the "Prevent Direct Access – Protect WordPress Files" plugin until a secure version is released. 2. Monitor the vendor's official channels and WordPress plugin repository for updates or patches addressing this vulnerability. 3. Implement additional access controls at the web server or application firewall level to restrict access to sensitive files, such as IP whitelisting or authentication requirements. 4. Use security plugins or tools that provide more robust file protection mechanisms with proven randomness in filename generation. 5. Conduct an audit of all sensitive files currently protected by this plugin to assess potential exposure and remove or relocate highly sensitive content if possible. 6. Enable detailed logging and monitoring to detect unusual access patterns that could indicate exploitation attempts. 7. Educate site administrators on the risks of using plugins with insufficient security and encourage a security-first approach to plugin selection and maintenance. 8. Consider implementing Content Security Policy (CSP) and other HTTP headers to reduce the risk of data exfiltration via other vectors.