WordPress Plugin Vulnerabilities

Postie < 1.9.41 - Post Submission Spoofing & Stored Cross-Site Scripting (XSS)

Description

"The Postie plugin for WordPress only allows posting of articles submitted by authorized users through a mailing list registered in the plugin settings.

However through the email sender's spoofing technique, it was possible to bypass the plugin settings and publish a post as having been sent by a valid user."

This could be used to create a post with an XSS payload.

Affects Plugins

Plugin icon
postie
Fixed in 1.9.41

References

CVE
CVE-2019-20204
CVE
CVE-2019-20203
Exploitdb
47925
URL
https://packetstormsecurity.com/files/#155973/
URL
https://github.com/V1n1v131r4/Exploiting-Postie-WordPress-Plugin-/blob/master/README.md

Miscellaneous

Original Researcher
V1n1v131r4
Verified
No
WPVDB ID
86c1e804-e0e1-4793-8bc8-3baaab0197c5

Timeline

Publicly Published
2020-01-02 (about 6 years ago)
Added
2020-01-03 (about 6 years ago)
Last Updated
2022-01-30 (about 4 years ago)

Other

Published
Title
Published
2014-08-01
Title
Flash News - Multiple Vulnerabilities
Published
2017-02-23
Title
Democracy Poll < 5.4 - CSRF & XSS
Published
2014-08-01
Title
Shopping Cart 8.1.14 - Shell Upload, SQL Injection
Published
2014-08-01
Title
Leaflet Maps Marker Pro - SQLI, XSS, Shell Upload, file delete
Published
2014-09-17
Title
Google Maps Ready! 1.1.5 - CSRF & XSS