CVE-2024-7848

Name of the Vulnerable Software and Affected Versions User Private Files – WordPress File Sharing Plugin versions up to, and including, 2.1.0

Description The issue allows authenticated attackers with subscriber-level access and above to gain access to other users' private files due to missing validation on the docid user-controlled key in the 'dpk upvf update doc' endpoint. This makes it possible for low-level users to access others' private files.

Recommendations For versions up to, and including, 2.1.0, consider disabling the 'dpk upvf update doc' endpoint or restricting access to it until a patch is available. Additionally, restrict the use of the docid parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.