CVE-2024-2345 in FileBird Plugin
Summary
by MITRE • 05/02/2024
The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the folder name parameter in all versions up to, and including, 5.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/23/2025
The FileBird WordPress plugin represents a widely used media library management solution that enhances WordPress functionality by organizing files into folders and providing advanced file handling capabilities. This particular vulnerability affects versions up to and including 5.6.3, making it a significant concern for WordPress administrators who rely on this plugin for media organization. The vulnerability stems from inadequate input validation mechanisms within the plugin's folder management functionality, specifically when processing folder names submitted through the administrative interface.
The technical flaw manifests as a stored cross-site scripting vulnerability that occurs when the plugin fails to properly sanitize user input before storing and subsequently rendering folder names. When an authenticated attacker with author privileges or higher submits a malicious folder name containing script tags or other malicious code, the system stores this input without adequate sanitization. During subsequent page rendering, the improperly escaped output executes the injected scripts in the context of the victim's browser, creating a persistent XSS vector that can affect any user who accesses pages containing the compromised folder names.
This vulnerability operates under the Common Weakness Enumeration classification of CWE-79, which specifically addresses cross-site scripting flaws in web applications. The attack vector requires authentication with author-level privileges or higher, making it less accessible than client-side vulnerabilities but still dangerous within compromised administrative environments. The operational impact extends beyond simple script execution as attackers can potentially steal session cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious sites. The stored nature of this vulnerability means that once injected, malicious scripts persist until manually removed from the plugin's database storage.
The attack follows patterns consistent with the MITRE ATT&CK framework's T1546.001 technique for 'Modify Registry' and T1566.001 for 'Phishing' when considering the potential for credential theft and user manipulation. The vulnerability affects WordPress installations where FileBird plugin is active, potentially compromising entire sites if administrators are unaware of the malicious folder names. The attack chain begins with authentication, followed by folder name manipulation, and concludes with script execution in victim browsers. The impact is particularly severe because it allows attackers to establish persistent footholds within WordPress environments, potentially leading to full site compromise and data exfiltration.
Mitigation strategies should include immediate patching to version 5.6.4 or later, which addresses the sanitization issues. Administrators should implement principle of least privilege, restricting user access to only necessary administrative functions. Input validation should be strengthened through proper escaping of all user-submitted content before storage, particularly for parameters that are later rendered in web pages. Regular security audits should monitor for unauthorized folder modifications, and multi-factor authentication should be implemented to reduce the impact of credential compromise. Network monitoring tools should be configured to detect suspicious script injections, and regular backups should be maintained to facilitate quick recovery from potential exploitation. The vulnerability highlights the importance of proper input sanitization and output escaping in web applications, particularly those handling user-generated content in administrative contexts.