Easy Property Listings <= 3.5.3 – Admin+ Stored XSS | CVE 2024-2869 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Note: Depending on how the plugin is configured, this may be exploitable by users with lower permissions.

Proof of Concept

1. Go to: https://example.com/wp-admin/admin.php?page=epl-contacts&view=new-contact
2. Add a new contact and enter the payload `11<script>alert(11)</script>` for the name.
3. View the contacts and see the XSS.

Affects Plugins

easy-property-listings

Fixed in 3.5.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Submitter

cyc707

Verified

Yes

WPVDB ID

4093c12e-f62b-4357-8893-649cd2aaeace

Timeline

Publicly Published

2024-02-29 (about 1 year ago)

Added

2024-10-29 (about 1 year ago)

Last Updated

2024-10-29 (about 1 year ago)

Other

Published

Title

Published

2024-12-19

Title

PostLists <= 2.0.2 - Reflected XSS

Published

2024-05-23

Title

Custom Fonts – Host Your Fonts Locally < 2.1.5 - Author+ Stored XSS

Published

2023-02-02

Title

EZP Coming Soon Page < 1.0.7.4 - Admin+ Stored XSS

Published

2025-03-20

Title

ZhinaTwitterWidget <= 1.0 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Elegant Grunge 1.0.3 - s Parameter XSS