Users can browse through the WordPress directories from browser. You can prevent this access from .htaccess using a simple line of code.
So, anyone can access the files and attacks against possible vulnerabilities in the plug-ins are possible if WordPress directory access from browser is not prevented.
It is not funny to show all the things you have in your server.
Prevent WordPress directory access from .htaccess
Open to the htaccess in your root directory and add the following line:
# Prevents directory listing Options -Indexes
Singular and plural differs greatly enough to show 404 error!
Bonus tips to prevent WordPress directory access
Some WordPress Security plugins can also prevent the WordPress directory access from browser. But, the users (or better to say hackers) will see a blank White page instead of Forbidden page which we will get by tweaking the .htaccess.