Stored Cross-Site Scripting Vulnerability in Postie Plugin for WordPress
CVE-2024-5200

Currently unrated

Key Information:

Vendor

WordPress
Status
Postie
Vendor
CVE Published:
29 September 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-5200?

The Postie plugin for WordPress prior to version 1.9.71 has a flaw in its handling of settings where input is not properly sanitized or escaped. This vulnerability enables users with elevated privileges, such as administrators, to execute Stored Cross-Site Scripting attacks, even in configurations where the unfiltered_html capability is restricted, such as in multisite installations. This oversight creates potential avenues for attackers to inject malicious scripts, compromising the security of WordPress sites.

Affected Version(s)

Postie 0 < 1.9.71

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-5200 - Proof of Concept

References

https://wpscan.com/vulnerability/4a517cf0-886a-47f1-a433-...
exploitvdb-entrytechnical-description

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Guido Iván García Duva
WPScan
JSON
.
CVE-2024-5200 : Stored Cross-Site Scripting Vulnerability in Postie Plugin for WordPress