The vulnerability identified as CVE-2024-2345 affects the FileBird – WordPress Media Library Folders & File Manager plugin, widely used to organize media files within WordPress sites. The flaw is a stored Cross-Site Scripting (XSS) vulnerability categorized under CWE-80, caused by improper neutralization of script-related HTML tags in the folder name parameter. Specifically, the plugin fails to adequately sanitize and escape user-supplied folder names before rendering them on pages. Authenticated users with author or higher privileges can exploit this by injecting arbitrary JavaScript code into folder names. When any user visits a page displaying the malicious folder name, the injected script executes in their browser context. This can lead to session hijacking, privilege escalation, or other malicious activities depending on the payload. The vulnerability affects all versions up to and including 5.6.3. The CVSS 3.1 base score is 6.4, reflecting that the attack vector is network-based, requires low attack complexity, privileges at the author level, no user interaction, and impacts confidentiality and integrity with scope changed (affecting other components). No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The flaw is significant because WordPress powers a large portion of the web, and FileBird is a popular plugin, increasing the potential attack surface. The vulnerability’s exploitation requires authentication but no further user interaction, making it a moderate risk for sites that allow author-level users to create or rename folders.

The primary impact of this vulnerability is the compromise of confidentiality and integrity within affected WordPress sites. Malicious scripts injected via folder names can execute in the context of any user visiting the affected page, potentially stealing session cookies, performing actions on behalf of users, or delivering further malware. This can lead to unauthorized access, data leakage, and defacement. Since the vulnerability requires author-level access, attackers must first compromise or have legitimate access to such accounts, which may be easier in environments with weak access controls or compromised credentials. The vulnerability does not affect availability directly but can indirectly cause service disruption if exploited to deface sites or inject malicious content. Organizations relying on FileBird for media management are at risk of reputational damage, loss of user trust, and compliance violations if sensitive data is exposed. The widespread use of WordPress and this plugin means many websites globally could be affected, especially those with multiple authors or contributors. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is public.

To mitigate this vulnerability, organizations should immediately restrict author-level privileges to trusted users only and review existing user roles to minimize unnecessary author access. Implement strict input validation and output encoding for folder names, either by applying available patches once released or by using Web Application Firewalls (WAFs) with custom rules to detect and block malicious script payloads in folder names. Site administrators should monitor logs and user activity for suspicious folder name changes or script injection attempts. Regularly update the FileBird plugin to the latest version once a patch addressing this vulnerability is released. As a temporary workaround, disabling the plugin or restricting folder renaming functionality to administrators can reduce risk. Additionally, educating users about phishing and credential hygiene can prevent attackers from gaining author-level access. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts and reduce the risk of successful exploitation. Finally, conduct regular security audits and vulnerability scans to detect similar issues proactively.