CVE-2024-8988 is a medium-severity vulnerability affecting the PeepSo Core: File Uploads plugin for WordPress, present in all versions up to and including 6.4.6.0. The vulnerability is classified as an Insecure Direct Object Reference (IDOR), corresponding to CWE-639, which arises due to insufficient authorization validation on a user-controlled key parameter within the file_download REST API endpoint. This flaw allows unauthenticated attackers to exploit the endpoint by manipulating the key parameter to download files uploaded by other users without proper permission checks. Since the vulnerability requires no authentication or user interaction and can be exploited remotely over the network, it poses a risk of unauthorized disclosure of potentially sensitive files stored on affected WordPress sites using the PeepSo plugin. The CVSS 3.1 base score is 5.3 (medium), reflecting the vulnerability's network attack vector, low complexity, no privileges required, no user interaction, and limited impact confined to confidentiality loss without affecting integrity or availability. No known public exploits have been reported yet, and no official patches have been linked at the time of publication. The vulnerability primarily threatens the confidentiality of user-uploaded files, which may include personal data, private communications, or other sensitive content, depending on the deployment context of the PeepSo plugin. Organizations using PeepSo for community or social networking features on WordPress should consider this vulnerability a significant privacy risk and prioritize remediation once patches become available.

For European organizations, the impact of CVE-2024-8988 can be substantial, especially for those operating community platforms, social networks, or membership sites using the PeepSo plugin on WordPress. Unauthorized file access could lead to exposure of personal data protected under GDPR, resulting in legal and regulatory consequences including fines and reputational damage. Confidential user information, intellectual property, or internal documents stored as uploads could be leaked, undermining trust and potentially facilitating further targeted attacks. The vulnerability's ability to be exploited without authentication increases the risk of automated scanning and mass exploitation attempts. Given the widespread use of WordPress in Europe and the popularity of social/community plugins like PeepSo, the threat surface is significant. Organizations in sectors such as education, healthcare, media, and non-profits that rely on user-generated content and file sharing are particularly vulnerable. Additionally, the exposure of sensitive files could aid espionage or competitive intelligence efforts, especially in countries with high digital activity and stringent data protection laws.

1. Immediate mitigation involves disabling or restricting access to the file_download REST API endpoint until a patch is available. This can be done via web application firewall (WAF) rules or custom server-side access controls limiting requests to authenticated and authorized users only. 2. Monitor web server and application logs for unusual or repeated access attempts to the file_download endpoint, especially from unauthenticated sources, to detect potential exploitation attempts early. 3. Implement strict file access controls and segregate sensitive uploads in directories not directly accessible via the web or REST API. 4. Once available, promptly apply official patches or updates released by PeepSo to fix the authorization validation flaw. 5. Conduct a thorough audit of uploaded files to identify any sensitive data that may have been exposed and notify affected users if necessary to comply with GDPR breach notification requirements. 6. Educate site administrators on the risks of exposing REST API endpoints and encourage regular security reviews of plugins and their configurations. 7. Consider deploying additional security plugins or tools that enforce granular access control on REST API endpoints and file resources within WordPress environments.