CVE-2024-10079: 
WordPress vulnerability analysis and mitigation

The WP Easy Post Types plugin for WordPress (CVE-2024-10079) contains a PHP Object Injection vulnerability affecting versions up to and including 1.4.4. The vulnerability was discovered by István Márton and publicly disclosed on October 17, 2024. This security issue impacts WordPress installations using the affected plugin versions (Wordfence Advisory).

The vulnerability exists in the 'ajaximportcontent' function where untrusted input from the 'text' parameter is deserialized without proper validation. The issue has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) (NVD Database).

While no POP (Property Oriented Programming) chain is present in the vulnerable plugin itself, if a POP chain exists via additional plugins or themes installed on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code on the affected system (NVD Database).

Users should upgrade to a version newer than 1.4.4 when available. Until then, site administrators should consider limiting user roles and permissions to minimize the potential attack surface (NVD Database).