Stored Cross-Site Scripting Vulnerability in FileBird Plugin for WordPress
CVE-2024-2345

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Filebird – WordPress Media Library Folders & File Manager
Vendor: CVE Published:; 2 May 2024

Summary

The FileBird plugin for WordPress is susceptible to stored cross-site scripting due to insufficient input validation and output sanitization when handling the folder name parameter. This vulnerability enables authenticated attackers, who have author-level permissions or higher, to inject arbitrary scripts into folder names that execute whenever any user accesses a page with an injected folder name. This poses significant security risks, as it compromises the integrity of web pages viewed by users. It’s crucial for site administrators to update to secure versions and adopt best practices in input validation to mitigate risks associated with this vulnerability.

Affected Version(s)

FileBird – WordPress Media Library Folders & File Manager * <= 5.6.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Mar 8, 2024

Credit

Tim Coen