CVE-2024-2869 – This vulnerability in the Easy Property Listing... (How to Fix)

Q: What is the severity of CVE-2024-2869?

CVE-2024-2869 has a CVSS score of 4.8 (MEDIUM). This vulnerability in the Easy Property Listings WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute when other users view those settings pages. It affects WordPress sites using Easy Property Listings versions before 3.5.4, particularly in multisite configurations where unfiltered_html is restricted.

📋 TL;DR

This vulnerability in the Easy Property Listings WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute when other users view those settings pages. It affects WordPress sites using Easy Property Listings versions before 3.5.4, particularly in multisite configurations where unfiltered_html is restricted.

💻 Affected Systems

Products:

Easy Property Listings WordPress Plugin

Versions: All versions before 3.5.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress administrator or equivalent high-privilege user account. Particularly relevant for WordPress multisite installations where unfiltered_html capability is restricted.

📦 What is this software?

Easy Property Listings by Realestateconnected

View all CVEs affecting Easy Property Listings →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with admin privileges could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially compromising the entire WordPress site.

🟠

Likely Case

Malicious admin injects JavaScript that steals other users' session cookies or credentials when they access plugin settings pages.

🟢

If Mitigated

With proper access controls limiting admin privileges and regular security updates, impact is minimal as exploitation requires high-privilege access.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative access to WordPress. The vulnerability is in plugin settings that should only be accessible to high-privilege users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.4

Vendor Advisory: https://wpscan.com/vulnerability/4093c12e-f62b-4357-8893-649cd2aaeace/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Easy Property Listings. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.5.4+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Remove Admin Privileges

all

Temporarily reduce admin privileges for untrusted users until patch is applied

Disable Plugin

linux

Temporarily deactivate Easy Property Listings plugin if not essential

wp plugin deactivate easy-property-listings

🧯 If You Can't Patch

Restrict administrative access to only essential, trusted personnel
Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Easy Property Listings → Version. If version is below 3.5.4, system is vulnerable.

Check Version:

wp plugin get easy-property-listings --field=version

Verify Fix Applied:

Confirm plugin version is 3.5.4 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual admin activity modifying plugin settings
JavaScript payloads in plugin setting updates

Network Indicators:

Unexpected external requests from plugin settings pages
Suspicious JavaScript loading from plugin URLs

SIEM Query:

source="wordpress" AND (event="plugin_edit" OR event="option_update") AND plugin="easy-property-listings" AND user_role="administrator"

📊 Metadata

CVE ID: CVE-2024-2869

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (16.8th percentile)

Published: May 15, 2025

Last Updated: June 5, 2025

🔗 References

https://wpscan.com/vulnerability/4093c12e-f62b-4357-8893-649cd2aaeace/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/4093c12e-f62b-4357-8893-649cd2aaeace/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2869, you might also want to check these: