FileBird – WordPress Media Library Folders & File Manager <= 5.6.3 - Authenticated (Author+) Stored Cross-Site Scripting

Wordfence Intelligence   >   Vulnerability Database   >   FileBird – WordPress Media Library Folders & File Manager <= 5.6.3 - Authenticated (Author+) Stored Cross-Site Scripting
6.4
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE CVE-2024-2345
CVSS 6.4 (Medium)
Publicly Published April 16, 2024
Last Updated May 31, 2024
Researcher Tim Coen

Description

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the folder name parameter in all versions up to, and including, 5.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Learn more about Cross-Site Scripting vulnerabilities and how to prevent them.

References

Share

Vulnerability Details for FileBird – WordPress Media Library Folders & File Manager

FileBird – WordPress Media Library Folders & File Manager

Software Type Plugin
Software Slug filebird (view on wordpress.org)
Patched? Yes
Remediation Update to version 5.6.4, or a newer patched version
Affected Version
  • <= 5.6.3
Patched Version
  • 5.6.4

Recent vulnerabilities in FileBird – WordPress Media Library Folders & File Manager

FileBird – WordPress Media Library Folders & File Manager <= 6.5.1 - Missing Authorization to Authenticated (Author+) Global Folders Tampering
4.3
CVE-2025-12900
Dec 15, 2025
Researcher: type5afe
FileBird <= 6.4.9 - Improper Authorization to Authenticated (Author+) Settings Reset
4.3
CVE-2025-11510
Oct 17, 2025
Researcher: kai
FileBird – WordPress Media Library Folders & File Manager <= 6.4.8 - Authenticated (Author+) SQL Injection
6.5
CVE-2025-6986
Aug 5, 2025
Researcher: Kenneth Billones
Filebird <= 6.4.2.1 - Authenticated (Author+) Insecure Direct Object Reference
4.3
CVE-2025-26977
Feb 23, 2025
Researcher: Revan Arifio
Filebird <= 6.3.2 - Missing Authorization
4.3
CVE-2024-53825
Dec 2, 2024
Researcher: Rafie Muhammad
FileBird – WordPress Media Library Folders & File Manager <= 5.6.3 - Authenticated (Author+) Insecure Direct Object Reference
5.4
CVE-2024-2346
Apr 16, 2024
Researcher: Tim Coen
FileBird <= 5.6.0 - Authenticated(Administrator+) Stored Cross-Site Scripting via Folder Import
5.5
CVE-2024-0691
Jan 19, 2024
Researcher: Thomas Sanzey
Filebird <= 5.1.4 - Missing Authorization via resAdminPermissionsCheck
5.4
CVE-2023-25966
Mar 27, 2023
Researcher: Rafshanzani Suhada
Filebird 4.7.3 - Unauthenticated SQL Injection
9.8
CVE-2021-24385
Jun 16, 2021
Researcher: Ravi Chandra (10up)
# Title CVE ID CVSS Researchers Date
1 FileBird – WordPress Media Library Folders & File Manager <= 6.5.1 - Missing Authorization to Authenticated (Author+) Global Folders Tampering CVE-2025-12900 4.3 type5afe December 15, 2025
2 FileBird <= 6.4.9 - Improper Authorization to Authenticated (Author+) Settings Reset CVE-2025-11510 4.3 kai October 17, 2025
3 FileBird – WordPress Media Library Folders & File Manager <= 6.4.8 - Authenticated (Author+) SQL Injection CVE-2025-6986 6.5 Kenneth Billones August 5, 2025
4 Filebird <= 6.4.2.1 - Authenticated (Author+) Insecure Direct Object Reference CVE-2025-26977 4.3 Revan Arifio February 23, 2025
5 Filebird <= 6.3.2 - Missing Authorization CVE-2024-53825 4.3 Rafie Muhammad December 2, 2024
6 FileBird – WordPress Media Library Folders & File Manager <= 5.6.3 - Authenticated (Author+) Insecure Direct Object Reference CVE-2024-2346 5.4 Tim Coen April 16, 2024
7 FileBird <= 5.6.0 - Authenticated(Administrator+) Stored Cross-Site Scripting via Folder Import CVE-2024-0691 5.5 Thomas Sanzey January 19, 2024
8 Filebird <= 5.1.4 - Missing Authorization via resAdminPermissionsCheck CVE-2023-25966 5.4 Rafshanzani Suhada March 27, 2023
9 Filebird 4.7.3 - Unauthenticated SQL Injection CVE-2021-24385 9.8 Ravi Chandra (10up) June 16, 2021
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation