CVE-2024-10080 – The WP Easy Post Types plugin for WordPress has... (How to Fix)

Q: What is the severity of CVE-2024-10080?

CVE-2024-10080 has a CVSS score of 6.4 (MEDIUM). The WP Easy Post Types plugin for WordPress has a stored cross-site scripting vulnerability that allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts into website pages. These scripts execute whenever users view the compromised pages, potentially stealing credentials or performing unauthorized actions. This affects all WordPress sites using vulnerable plugin versions.

📋 TL;DR

The WP Easy Post Types plugin for WordPress has a stored cross-site scripting vulnerability that allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts into website pages. These scripts execute whenever users view the compromised pages, potentially stealing credentials or performing unauthorized actions. This affects all WordPress sites using vulnerable plugin versions.

💻 Affected Systems

Products:

WP Easy Post Types WordPress Plugin

Versions: 1.4.4 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. Contributor-level authentication or higher is needed for exploitation.

📦 What is this software?

Wp Easy Post Types by Newsignature

View all CVEs affecting Wp Easy Post Types →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies or credentials, potentially compromising user accounts and website integrity.

🟢

If Mitigated

With proper input validation and output escaping, the vulnerability would be prevented, and only sanitized content would be displayed to users.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with contributor permissions or higher. The vulnerability is in post meta handling with insufficient sanitization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.5 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/easy-post-types

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Easy Post Types and update to version 1.4.5 or later. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the WP Easy Post Types plugin until patched

wp plugin deactivate easy-post-types

Restrict User Roles

all

Limit contributor and author roles to trusted users only

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads
Regularly audit user accounts and remove unnecessary contributor-level permissions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Easy Post Types version 1.4.4 or earlier

Check Version:

wp plugin get easy-post-types --field=version

Verify Fix Applied:

Verify plugin version is 1.4.5 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual post meta updates by contributor-level users
JavaScript payloads in post content or meta fields

Network Indicators:

Suspicious outbound connections from WordPress site after page views

SIEM Query:

source="wordpress" AND (plugin="easy-post-types" AND version<="1.4.4")

📊 Metadata

CVE ID: CVE-2024-10080

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: October 18, 2024

Last Updated: October 22, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10080, you might also want to check these: