CVE-2024-2840

Name of the Vulnerable Software and Affected Versions Enhanced Media Library plugin for WordPress versions up to, and including, 2.8.9

Description The issue allows authenticated attackers with author-level access and above to inject arbitrary web scripts in pages via media upload functionality. This is possible because the plugin permits the upload of 'dfxp' files, making it possible for attackers to inject scripts that will execute whenever a user accesses an injected page.

Recommendations For versions up to, and including, 2.8.9, update to a version that fixes this issue to prevent stored cross-site scripting attacks. As a temporary workaround, consider restricting media upload functionality to prevent the upload of potentially malicious files, such as 'dfxp' files, until a patch is available.