CVE-2024-8988 MEDIUM

CVE-2024-8988: PeepSo Core: File Uploads <= 6.4.6.0 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via file_download

Vendor Peepso
Product PeepSo Core: File Uploads
Weakness CWE-639 · IDOR
Published May 14, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download files uploaded by others users and expose potentially sensitive information.

Explanation of Vulnerability in Simple Terms

02Summary

PeepSo Core's file upload functionality does not properly restrict access to uploaded files. An unauthenticated attacker can read files uploaded by other users without authorization. The vulnerability affects all versions up to 6.4.6.0. Site administrators should update to a version newer than 6.4.6.0 when available.

What an attacker can do

03Attacker Capabilities

Read files uploaded by other users without permission.

Potential impact on your site

04Site Impact

User-uploaded files may be exposed to unauthorized access, risking privacy and data leaks.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 14, 2025 CVE published
April 8, 2026 Record updated