CVE-2024-10078

WP Easy Post Types <= 1.4.4 - Authenticated (Subscriber+) Missing Authorization via Multiple Functions

Description

The WP Easy Post Types plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 1.4.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete plugin options and posts.

Category

7.3
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.14%
Third-Party Advisory wordfence.com
Affected: chertz WP Easy Post Types
Published at:
Updated at:

References

Link Tags
https://www.wordfence.com/threat-intel/vulnerabilities/id/d12c4b1c-23d0-430f-a6ea-0a3ab487ed10?source=cve third party advisory
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L111 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L112 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L113 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L114 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L115 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L116 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L117 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L118 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L119 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L120 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L121 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L122 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L123 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L124 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L125 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L126 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L127 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L128 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L129 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L130 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L131 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L132 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L133 product
https://plugins.trac.wordpress.org/browser/easy-post-types/tags/1.4.4/custom-type.php#L134 product

Frequently Asked Questions

What is the severity of CVE-2024-10078?
CVE-2024-10078 has been scored as a high severity vulnerability.
How to fix CVE-2024-10078?
To fix CVE-2024-10078, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-10078 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-10078 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-10078?
CVE-2024-10078 affects chertz WP Easy Post Types.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.