CVE-2024-2869 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Easy Property Listings WordPress plugin versions prior to 3.5.4. This vulnerability arises because the plugin fails to properly sanitize and escape certain settings fields. Specifically, even when the WordPress capability 'unfiltered_html' is disabled — a common restriction in multisite environments to prevent users from injecting arbitrary HTML — high privilege users such as administrators can inject malicious scripts. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. Exploiting this flaw requires an attacker to have administrative privileges, but it can lead to persistent XSS attacks where malicious JavaScript is stored on the server and executed in the browsers of users who view the affected pages. The CVSS v3.1 base score is 4.8 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, high privileges, and user interaction, with a scope change (S:C) meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss but no availability impact. No known exploits are currently reported in the wild, and no official patches are linked yet, though the fixed version is 3.5.4 or later. This vulnerability is particularly relevant in multisite WordPress setups where administrative users may be restricted from using unfiltered HTML but can still exploit this flaw to inject persistent malicious scripts, potentially compromising other users or administrators who access the affected pages.

For European organizations using WordPress with the Easy Property Listings plugin, this vulnerability poses a moderate risk. The stored XSS can lead to session hijacking, privilege escalation, or distribution of malware to users who access the compromised pages. In multisite environments common in large enterprises or real estate platforms, the impact is amplified because an attacker with admin privileges on one site could affect multiple sites or users. Confidentiality and integrity of user data and administrative sessions could be compromised, potentially leading to unauthorized access or data leakage. While availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for failing to protect user data could be significant. Organizations relying on this plugin for property listings or real estate services may face targeted attacks aiming to deface listings, steal credentials, or spread malicious payloads. The medium CVSS score suggests that while exploitation is not trivial, the consequences warrant prompt attention, especially in sectors handling sensitive client information or financial transactions.

European organizations should immediately verify the version of Easy Property Listings installed and upgrade to version 3.5.4 or later where the vulnerability is fixed. Until patching is possible, restrict administrative access strictly to trusted personnel and review user roles to minimize the number of users with high privileges. Implement Content Security Policy (CSP) headers to reduce the impact of XSS by restricting script execution sources. Conduct thorough input validation and output encoding on all user-supplied data in custom themes or plugins interacting with Easy Property Listings. Regularly audit multisite configurations to ensure that unfiltered_html capabilities are appropriately assigned and monitor logs for suspicious activity indicative of XSS exploitation attempts. Employ Web Application Firewalls (WAFs) with rules targeting stored XSS patterns specific to this plugin. Finally, educate administrators about the risks of stored XSS and the importance of cautious content management in the plugin settings.