CVE-2024-10079

Name of the Vulnerable Software and Affected Versions WP Easy Post Types plugin for WordPress versions up to, and including, 1.4.4

Description The issue concerns PHP Object Injection via deserialization of untrusted input from the text parameter in the ajax import content function. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. However, if a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations For WP Easy Post Types plugin for WordPress versions up to, and including, 1.4.4, consider disabling the ajax import content function until a patch is available to prevent exploitation. Restrict access to the text parameter in the affected function to minimize the risk of PHP Object Injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.