WordPress Plugin Vulnerabilities

Postie < 1.9.74 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
postie
Fixed in 1.9.74

References

CVE
CVE-2025-63020
URL
https://vdp.patchstack.com/database/wordpress/plugin/postie/vulnerability/wordpress-postie-plugin-1-9-73-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
e46d6958-5d1b-47d7-bbdc-9fd39bb63d7e

Timeline

Publicly Published
2025-12-31 (about 4 months ago)
Added
2026-01-05 (about 4 months ago)
Last Updated
2026-01-07 (about 4 months ago)

Other

Published
Title
Published
2021-05-09
Title
UpdraftPlus < 1.6.59 - Admin+ Stored Cross-Site Scripting
Published
2026-02-18
Title
Drift <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
Published
2025-09-03
Title
Cookie Notice & Consent Banner for GDPR & CCPA Compliance < 1.7.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-07-03
Title
Auto Location for WP Job Manager via Google < 1.1 - Admin+ Cross Site Scripting
Published
2018-10-30
Title
ElegantThemes (Divi, Extra, divi-builder) - Authenticated Stored Cross-Site Scripting (XSS)