User Private Files <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Private File Access

Vulnerability

The User Private Files – WordPress File Sharing Plugin plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in all versions up to and including 2.1.0. The vulnerability exists in the dpk_upvf_update_doc function via the docid parameter, which is a user-controlled key. The plugin lacks proper validation on this parameter, enabling authenticated attackers to read or manipulate private files belonging to other users. The affected versions are all prior to and including 2.1.0 [1]. A patched version 2.1.6 is available [1].

Exploitation

An attacker must have at least subscriber-level access to the WordPress site to exploit this vulnerability. The attack does not require any special privileges beyond being authenticated. The attacker can craft a request to the vulnerable function, supplying a different docid value (e.g., by iterating through numeric IDs) that corresponds to a private file owned by another user. No user interaction from the victim is required; the attacker simply sends the malicious request to the server [1].

Impact

Successful exploitation allows the attacker to gain unauthorized access to private files uploaded by other users. This leads to a compromise of confidentiality, as the attacker can view and potentially download files intended to be restricted. The impact is limited to file disclosure; the attacker does not gain administrative control or the ability to execute arbitrary code. However, if leaked files contain sensitive information (e.g., personally identifiable information, financial documents), the consequences may be more severe [1].

Mitigation

The vendor has released version 2.1.6 of the plugin, which fixes this vulnerability. Users are strongly advised to update immediately to the latest version. No workarounds are known; for sites that cannot update, disabling the plugin or restricting access to users with subscriber-level rights may reduce the attack surface, but the only complete mitigation is applying the patch [1].