CVE-2024-8988 is an authorization bypass vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the PeepSo Core: File Uploads plugin for WordPress. The vulnerability exists in all versions up to and including 6.4.6.0. It arises from an Insecure Direct Object Reference (IDOR) condition in the file_download REST API endpoint, where the plugin fails to properly validate a user-controlled key parameter. This lack of validation allows unauthenticated attackers to craft requests to download files uploaded by other users without any authorization checks. The flaw compromises confidentiality by exposing potentially sensitive user-uploaded files. The vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, increasing its risk profile. Although no public exploits have been reported yet, the widespread use of PeepSo in WordPress social networking sites makes this a significant concern. The CVSS v3.1 base score is 5.3, reflecting medium severity, with the vector indicating network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact without integrity or availability effects.

The primary impact of CVE-2024-8988 is unauthorized disclosure of sensitive information stored in user-uploaded files within PeepSo-powered WordPress sites. This can lead to privacy violations, leakage of personal or proprietary data, and potential reputational damage for affected organizations. Since the vulnerability allows unauthenticated remote access to files, attackers can systematically harvest data without detection. For organizations hosting communities, social networks, or membership sites using PeepSo, this could expose user-generated content, private documents, or other confidential materials. Although the vulnerability does not allow modification or deletion of files, the confidentiality breach alone can have serious compliance and trust implications. The lack of known exploits currently reduces immediate risk, but the ease of exploitation and network accessibility mean attackers could develop exploits rapidly. This threat is especially impactful for organizations relying heavily on PeepSo for user engagement and data sharing.

To mitigate CVE-2024-8988, organizations should immediately update the PeepSo Core: File Uploads plugin to a patched version once available from the vendor. Until a patch is released, administrators can implement strict access controls at the web server or application firewall level to restrict access to the file_download REST API endpoint, allowing only authenticated and authorized users. Monitoring and logging access to this endpoint can help detect suspicious activity. Additionally, organizations should review and limit the types of files users can upload and consider encrypting sensitive files at rest. Employing a Web Application Firewall (WAF) with custom rules to block unauthorized REST API requests targeting file downloads can provide temporary protection. Regular security audits and vulnerability scanning of WordPress plugins should be conducted to identify similar issues proactively. Finally, educating site administrators about the risks of exposing REST API endpoints without proper authorization checks is essential.