The vulnerability identified as CVE-2024-8743 affects the Bit File Manager plugin for WordPress, an open-source file manager and code editor widely used to manage website files. The flaw arises from improper validation of uploaded file types, specifically allowing authenticated users with Subscriber-level access and above (with permissions granted by an administrator) to upload JavaScript (.js) and Cascading Style Sheets (.css) files. This unrestricted upload capability violates secure file handling principles (CWE-434) and can be exploited to inject malicious scripts into the web application, resulting in stored cross-site scripting (XSS). Stored XSS enables attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, data theft, or further compromise of the WordPress site. The vulnerability does not require user interaction beyond the upload and leverages low privilege accounts, increasing the attack surface. The CVSS 3.1 base score of 6.8 reflects network attack vector, high impact on confidentiality and integrity, low privileges required, and no user interaction needed. The vulnerability affects all plugin versions up to 6.5.7, and no official patches or exploits in the wild have been reported at the time of publication. The root cause is the lack of proper server-side checks on allowed file types during upload, which should restrict executable or script files to prevent abuse. This vulnerability is particularly dangerous in multi-user WordPress environments where users have delegated permissions to upload or manage files.

The primary impact of this vulnerability is the potential for stored cross-site scripting attacks, which can compromise the confidentiality and integrity of website data and user sessions. Attackers could inject malicious scripts that execute in the browsers of site visitors or administrators, leading to session hijacking, credential theft, defacement, or distribution of malware. Since the vulnerability requires only Subscriber-level access with granted upload permissions, attackers can exploit compromised or malicious low-privilege accounts, expanding the threat beyond administrators. This can undermine trust in affected websites, cause data breaches, and disrupt normal operations. Although availability is not directly impacted, the reputational damage and potential regulatory consequences from data exposure can be significant. Organizations relying on this plugin for file management on WordPress sites are at risk, especially those with multiple users and delegated permissions. The lack of known exploits in the wild currently limits immediate widespread damage, but the vulnerability’s nature makes it a likely target for attackers once weaponized.

To mitigate this vulnerability, organizations should immediately review and restrict file upload permissions within the Bit File Manager plugin, ensuring only trusted users have upload capabilities. Administrators should implement strict server-side validation to whitelist allowed file types, explicitly blocking .js, .css, and other potentially dangerous files from being uploaded. If possible, disable file uploads for users with Subscriber-level access or lower unless absolutely necessary. Monitoring and logging file upload activities can help detect suspicious behavior early. Applying the latest plugin updates as soon as a patch is released is critical. In the interim, consider deploying web application firewalls (WAFs) with rules to detect and block malicious script uploads or stored XSS payloads. Additionally, security teams should conduct regular vulnerability scans and penetration tests focusing on file upload functionalities. Educating users about the risks of uploading unauthorized files and enforcing the principle of least privilege will reduce exposure. Finally, consider isolating file upload directories and implementing Content Security Policy (CSP) headers to limit the impact of any injected scripts.