The FileBird plugin for WordPress suffers from a stored XSS vulnerability due to improper neutralization of input in the folder name parameter. Authenticated attackers with author or higher privileges can inject arbitrary web scripts that execute in the context of other users viewing the injected content. This vulnerability arises from insufficient input sanitization and output escaping in all versions up to 5.6.3. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects network attack vector, low attack complexity, required privileges of author, no user interaction, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No patch or vendor advisory is currently available to confirm remediation status.

Successful exploitation allows an authenticated user with author-level access or higher to inject persistent malicious scripts via folder names. These scripts execute in the browsers of users who access the affected pages, potentially leading to session hijacking, privilege escalation, or other client-side impacts. The vulnerability affects confidentiality and integrity to a limited extent but does not impact availability. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, limit author-level access to trusted users only and consider monitoring for suspicious folder names or script injections. Avoid using the plugin in environments where untrusted users have author-level privileges. Follow updates from the vendor ninjateam for any forthcoming patches.