CVE-2024-0691

Name of the Vulnerable Software and Affected Versions FileBird plugin for WordPress versions up to, and including, 5.5.8.1

Description The issue is related to Stored Cross-Site Scripting via imported folder titles due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. It may also be possible to socially engineer an administrator into uploading a malicious folder import.

Recommendations For versions up to, and including, 5.5.8.1, update to a version later than 5.5.8.1 to resolve the issue. As a temporary workaround, consider restricting access to the folder import feature to minimize the risk of exploitation. Avoid using the imported folder titles feature until the issue is resolved.