CVE-2024-8918 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the File Manager Pro plugin for WordPress. The issue arises from inadequate validation of uploaded file types, allowing unauthenticated attackers to upload JavaScript (.js) and Cascading Style Sheets (.css) files. These files can be stored on the server and later executed in the context of the vulnerable website, enabling stored cross-site scripting (XSS) attacks. The vulnerability affects all versions up to and including 8.3.9. Exploitation does not require authentication or user interaction but does have a high attack complexity, likely due to the need to bypass any other security controls or to gain administrator permissions to upload files. The CVSS 3.1 base score is 7.4, indicating a high severity with a network attack vector, no privileges required, no user interaction, and a significant impact on confidentiality and integrity, but no impact on availability. This vulnerability can allow attackers to execute arbitrary scripts in the context of the victim's browser, potentially stealing sensitive data, hijacking sessions, or performing other malicious actions. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date.

The impact of CVE-2024-8918 is significant for organizations using the File Manager Pro plugin on WordPress sites. Successful exploitation can lead to stored XSS attacks, compromising the confidentiality and integrity of user data and site content. Attackers could execute arbitrary JavaScript in the context of site visitors, potentially stealing cookies, session tokens, or performing actions on behalf of users. This can lead to account takeover, data leakage, and reputational damage. Since the vulnerability is exploitable remotely without authentication, it increases the attack surface considerably. Although availability is not directly affected, the indirect consequences such as defacement or injection of malicious scripts can disrupt business operations and user trust. Organizations with high-traffic WordPress sites, especially those handling sensitive user information, are at elevated risk. The lack of current exploits in the wild suggests a window for proactive mitigation before widespread exploitation occurs.

To mitigate CVE-2024-8918, organizations should immediately update the File Manager Pro plugin once an official patch is released. Until then, implement strict file upload restrictions by configuring the web server or application firewall to block uploads of .js, .css, and other potentially dangerous file types. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Restrict file upload permissions to trusted administrators only and monitor upload directories for suspicious files. Conduct regular security audits and scanning for malicious scripts on the server. Additionally, consider disabling or replacing the vulnerable plugin with alternatives that enforce robust file validation. Implementing Web Application Firewalls (WAF) with rules to detect and block XSS payloads can provide an additional layer of defense. Educate administrators on the risks of unrestricted file uploads and enforce the principle of least privilege for all user roles.