CVE-2024-8988

MEDIUM 5.3

PeepSo Core: File Uploads <= 6.4.6.0 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via file_download

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download files uploaded by others users and expose potentially sensitive information.

CWE	CWE-639
Vendor	peepso
Product	peepso core: file uploads
Published	May 14, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for peepso peepso core: file uploads

Be the first to know when new medium vulnerabilities affecting peepso peepso core: file uploads are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

PeepSo / PeepSo Core: File Uploads

0 ≤ 6.4.6.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/d3184996-655c-41d5-a3c5-6b36fbff58dc?source=cve peepso.com: https://www.peepso.com/changelog/

Credits

Bikram Kharal