WordPress Plugin Vulnerabilities

User Private Files < 2.1.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Private File Access

Description

The User Private Files – WordPress File Sharing Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'dpk_upvf_update_doc' due to missing validation on the 'docid' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to gain access to other user's private files.

Affects Plugins

Plugin icon
user-private-files
Fixed in 2.1.1

References

CVE
CVE-2024-7848
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0fb06de8-97d6-46c3-83ef-93a209540259

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
No
WPVDB ID
818a77cd-0a28-4d0a-a067-94ae79a19369

Timeline

Publicly Published
2024-08-21 (about 1 year ago)
Added
2024-08-21 (about 1 year ago)
Last Updated
2024-08-22 (about 1 year ago)

Other

Published
Title
Published
2025-03-19
Title
NP Quote Request for WooCommerce < 1.9.180 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure
Published
2025-06-05
Title
Password Policy Manager < 2.0.5 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Published
2022-10-04
Title
WooCommerce Products Vendor < 2.1.66 - Note Creation via IDOR
Published
2024-11-08
Title
Cowidgets – Elementor Addons <= 1.2.0 - Authenticated (Contributor+) Post Disclosure
Published
2025-10-21
Title
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier < 2.0.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out