Given that orders’ data is private I would expect that orders’ uploaded files would be private as well. Nevertheless, they are publicly accessible from “wp-content/uploads/ppom_files/”, so please make them private as the other orders’ data.
Thanks, did you fix it?
A valid workaround for Apache web servers would be to automatically create an .htaccess file in folder “wp-content/uploads/ppom_files/” with “Options -Indexes” when your package creates it. Then increase the length of image random names when your packages creates them, so it is harder to guess them.