CVE-2024-2345 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-80, found in the FileBird – WordPress Media Library Folders & File Manager plugin developed by ninjateam. This vulnerability exists in all versions up to and including 5.6.3 due to improper neutralization of script-related HTML tags in the folder name parameter. The root cause is insufficient input sanitization and output escaping, which allows an authenticated attacker with author-level or higher privileges to inject arbitrary JavaScript code into folder names. When any user accesses a page displaying the malicious folder name, the injected script executes in their browser context. This can lead to theft of session cookies, unauthorized actions on behalf of users, or further compromise of the WordPress site. The vulnerability requires authentication but no user interaction beyond viewing the affected page. The CVSS v3.1 score of 6.4 reflects a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a credible risk. The vulnerability affects a widely used WordPress plugin that organizes media folders, making it relevant for many websites relying on WordPress for content management.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the FileBird plugin for WordPress. Exploitation could allow attackers to execute malicious scripts in the context of legitimate users, potentially leading to session hijacking, unauthorized content changes, or privilege escalation within the WordPress environment. This can compromise the confidentiality and integrity of website data and user information. Organizations with customer-facing websites, intranets, or portals using this plugin may face reputational damage, data leakage, or unauthorized administrative actions. Given the requirement for authenticated access at author level or higher, the threat is more significant in environments where multiple users have elevated permissions or where author accounts are less strictly controlled. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly known. European entities in sectors such as e-commerce, media, education, and government that rely on WordPress and this plugin are particularly at risk. Additionally, GDPR considerations mean that any data breach resulting from exploitation could lead to regulatory penalties.

1. Immediately update the FileBird plugin to a patched version once available from the vendor. Monitor ninjateam’s official channels for security updates. 2. Until a patch is released, restrict author-level and higher permissions to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the folder name parameter. 4. Conduct regular audits of folder names and other user-generated content for suspicious scripts or HTML tags. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6. Educate site administrators and content authors about the risks of injecting untrusted content and enforce strict input validation policies. 7. Monitor logs for unusual activity or access patterns indicative of exploitation attempts. 8. Consider isolating or sandboxing the WordPress environment to limit the impact of any successful exploit. 9. Review and tighten user role assignments and permissions within WordPress to follow the principle of least privilege. 10. Backup website data regularly to enable quick recovery if compromise occurs.