CVE-2024-0691: 
WordPress vulnerability analysis and mitigation

The FileBird plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-0691) affecting all versions up to and including 5.5.8.1. The vulnerability was discovered due to insufficient input sanitization and output escaping in the plugin's functionality (NVD).

The vulnerability stems from improper input sanitization and output escaping mechanisms in the FileBird plugin, specifically affecting imported folder titles. The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 4.8 (Medium) by NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with administrator access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page. Additionally, there is a potential risk of social engineering attacks where administrators could be manipulated into uploading malicious folder imports (NVD).

A patch has been released to address this vulnerability. Users are advised to update their FileBird plugin to a version newer than 5.5.8.1 to protect against this security issue (WordPress Patch).