What the vulnerability does
01Description
The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download files uploaded by others users and expose potentially sensitive information.
Explanation of Vulnerability in Simple Terms
02Summary
PeepSo Core's file upload functionality does not properly restrict access to uploaded files. An unauthenticated attacker can read files uploaded by other users without authorization. The vulnerability affects all versions up to 6.4.6.0. Site administrators should update to a version newer than 6.4.6.0 when available.
What an attacker can do
03Attacker Capabilities
Read files uploaded by other users without permission.
Potential impact on your site
04Site Impact
User-uploaded files may be exposed to unauthorized access, risking privacy and data leaks.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 14, 2025
CVE published
April 8, 2026
Record updated