Security issue in Postie

Viewing 1 replies (of 1 total)
  • Plugin Author Wayne Allen

    (@wayneallen-1)

    This vulnerability report has 2 parts:

    1) it is possible to send a forged email

    Yes, this is true and is an issue for all systems that accept emails as input, not just Postie. Additionally for this to actually work the attacker would need to know the email address that Postie checks and the email address of a valid user who has permissions to create posts via Postie. This issue also exists for the native WordPress “post by email” function.

    2) allows XSS

    I have never been able to reproduce the XSS attack. Postie always removes any script blocks, and the special payload doesn’t seem to do anything.

    The WordPress plugin team reviewed these CVEs when they were released and determined that it wasn’t an area of concern.

Viewing 1 replies (of 1 total)
  • The topic ‘Security issue in Postie’ is closed to new replies.