Unauthorized Post Publishing in Postie Plugin for WordPress
CVE-2019-20203

5.3MEDIUM

Key Information:

Vendor
Wordpress
Status
Postie
Vendor
CVE Published:
2 January 2020

Summary

The Postie plugin version 1.9.40 for WordPress is susceptible to an authorization bypass vulnerability that enables remote attackers to publish posts without proper authentication. By spoofing the 'From' email address in submitted messages, attackers can manipulate the plugin's Authorized Addresses feature, resulting in unauthorized post creation on target WordPress sites. This flaw highlights the necessity for robust email validation processes to prevent malicious exploit.

References

https://github.com/V1n1v131r4/Exploiting-Postie-WordPress...
x_refsource_MISC
https://postieplugin.com/
x_refsource_MISC
https://wordpress.org/plugins/postie/#developers
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.