CVE-2024-10078 – The WP Easy Post Types WordPress plugin has a m... (How to Fix)

Q: What is the severity of CVE-2024-10078?

CVE-2024-10078 has a CVSS score of 7.3 (HIGH). The WP Easy Post Types WordPress plugin has a missing capability check vulnerability that allows authenticated users with subscriber-level access or higher to add, modify, or delete plugin options and posts. This affects all versions up to and including 1.4.4. Any WordPress site using this vulnerable plugin is at risk.

📋 TL;DR

The WP Easy Post Types WordPress plugin has a missing capability check vulnerability that allows authenticated users with subscriber-level access or higher to add, modify, or delete plugin options and posts. This affects all versions up to and including 1.4.4. Any WordPress site using this vulnerable plugin is at risk.

💻 Affected Systems

Products:

WP Easy Post Types WordPress Plugin

Versions: All versions up to and including 1.4.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the plugin activated. Any authenticated user (subscriber role or higher) can exploit this vulnerability.

📦 What is this software?

Wp Easy Post Types by Newsignature

View all CVEs affecting Wp Easy Post Types →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could completely compromise the WordPress site by modifying critical settings, deleting content, or injecting malicious code through post modifications, potentially leading to complete site takeover.

🟠

Likely Case

Authenticated attackers would modify plugin settings to gain elevated privileges, delete or deface posts, or inject malicious content into the site.

🟢

If Mitigated

With proper access controls and monitoring, impact would be limited to unauthorized post modifications that could be detected and rolled back.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward due to missing capability checks in multiple functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.5 or later

Vendor Advisory: https://wordpress.org/plugins/easy-post-types/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Easy Post Types' and click 'Update Now'. 4. Alternatively, download version 1.4.5+ from WordPress.org and replace the plugin files manually.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily deactivate the WP Easy Post Types plugin until patched

wp plugin deactivate easy-post-types

Restrict User Registration

all

Disable new user registration to prevent attackers from obtaining subscriber accounts

🧯 If You Can't Patch

Implement strict access controls and monitor all authenticated user activity
Regularly audit and review all posts and plugin settings for unauthorized changes

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for WP Easy Post Types version 1.4.4 or earlier

Check Version:

wp plugin list --name=easy-post-types --field=version

Verify Fix Applied:

Verify plugin version is 1.4.5 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to plugin admin endpoints
Unexpected modifications to wp_options table
Posts modified by low-privilege users

Network Indicators:

HTTP requests to /wp-admin/admin-ajax.php with action parameters related to easy-post-types

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND action CONTAINS "easy_post_types") AND user_role="subscriber"

📊 Metadata

CVE ID: CVE-2024-10078

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-862

Published: October 18, 2024

Last Updated: October 22, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10078, you might also want to check these: