Postie <= 1.9.40 - Post Submission Spoofing & Stored XSS



Description
"The Postie plugin for WordPress only allows posting of articles submitted by authorized users through a mailing list registered in the plugin settings.

However through the email sender's spoofing technique, it was possible to bypass the plugin settings and publish a post as having been sent by a valid user."

This could be used to create a post with an XSS payload.

Affects Plugin

References

CVE 2019-20204
CVE 2019-20203
URL https://github.com/V1n1v131r4/Exploiting-Postie-WordPress-Plugin-/blob/master/README.md

Classification

Type MULTI

Miscellaneous

Original Researcher V1n1v131r4
Views 54838
Verified No
WPVDB ID 10002

Timeline

Publicly Published 2020-01-02 (21 days ago)
Added 2020-01-03 (19 days ago)
Last Updated 2020-01-04 (18 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin