CVE-2024-2346
📋 TL;DR
This vulnerability in the FileBird WordPress plugin allows authenticated attackers with author-level access or higher to delete folders created by other users, potentially exposing their uploaded files. It affects all versions up to and including 5.6.3 due to missing validation on user-controlled parameters. WordPress sites using the vulnerable plugin are at risk.
💻 Affected Systems
- FileBird – WordPress Media Library Folders & File Manager
📦 What is this software?
Filebird by Ninjateam
⚠️ Risk & Real-World Impact
Worst Case
Malicious authors could systematically delete all media folders, causing data loss and exposing sensitive files uploaded by administrators or other users, potentially leading to information disclosure or site disruption.
Likely Case
An attacker with author privileges deletes specific folders to expose or disrupt other users' media files, causing minor data loss and potential privacy violations.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated folder deletions that can be restored from backups with minimal data exposure.
🎯 Exploit Status
Exploitation requires authenticated access with author privileges or higher. The vulnerability is straightforward to exploit once an attacker has valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.4
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3060898%40filebird%2Ftrunk&old=3049188%40filebird%2Ftrunk
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find FileBird plugin and click 'Update Now'. 4. Verify version is 5.6.4 or higher.
🔧 Temporary Workarounds
Temporarily disable plugin
allDisable the FileBird plugin until patched to prevent exploitation
wp plugin deactivate filebird
Restrict author permissions
allTemporarily downgrade author users to contributor role or limit media management capabilities
wp user update <user_id> --role=contributor
🧯 If You Can't Patch
- Implement strict access controls to limit author permissions for media management
- Enable comprehensive logging and monitoring for folder deletion activities
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → FileBird version. If version is 5.6.3 or lower, you are vulnerable.Check Version:
wp plugin get filebird --field=versionVerify Fix Applied:
After updating, verify FileBird version shows 5.6.4 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual folder deletion events in WordPress logs
- Multiple folder deletion requests from author-level users
- Failed folder access attempts followed by deletions
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=fbv_delete_folder from non-admin users
SIEM Query:
source="wordpress.log" action="fbv_delete_folder" user_role="author" OR user_role="editor"🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3060898%40filebird%2Ftrunk&old=3049188%40filebird%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/82cde234-ae87-438f-911e-bdd0e3ac1132?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3060898%40filebird%2Ftrunk&old=3049188%40filebird%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/82cde234-ae87-438f-911e-bdd0e3ac1132?source=cve
