Vulnerability in WP Easy Post Types Plugin Allows PHP Object Injection
CVE-2024-10079

8.8HIGH

Key Information:

Vendor: Wordpress
Status: WP Easy Post Types
Vendor: CVE Published:; 18 October 2024

Summary

The WP Easy Post Types plugin for WordPress is impacted by a PHP Object Injection vulnerability in versions up to and including 1.4.4. This vulnerability arises from the deserialization of untrusted input through the 'text' parameter in the 'ajax_import_content' function. Authenticated attackers with subscriber-level permissions or higher can inject a PHP Object, posing significant risks if a potentially exploitable payload (POP) chain is present through other plugins or themes. Such exploitation could enable unauthorized file deletions, sensitive data retrieval, or arbitrary code execution, emphasizing the necessity for site administrators to update the affected plugin versions promptly.

Affected Version(s)

WP Easy Post Types * <= 1.4.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/easy-post-type...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 18, 2024
Vulnerability Reserved
Oct 17, 2024

Credit

István Márton