Description

WordPress Plugin Postie is prone to multiple vulnerabilities, including cross-site scripting and security bypass. Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, or to perform otherwise restricted actions and subsequently publish posts by spoofing the From information of an email message. WordPress Plugin Postie version 1.9.40 is vulnerable; prior versions may also be affected.

Remediation

Disable the plugin until a fix is available

References

https://github.com/V1n1v131r4/Exploiting-Postie-WordPress-Plugin-/blob/master/README.md

https://packetstormsecurity.com/files/155973/WordPress-Postie-1.9.40-Cross-Site-Scripting.html

Related Vulnerabilities

Rukovoditel Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2020-13589)

Zope Web Application Server Other Vulnerability (CVE-2006-3458)

PHP Other Vulnerability (CVE-2007-3790)

Apache HTTP Server Resource Management Errors Vulnerability (CVE-2007-6423)

Drupal CVE-2018-7602 Vulnerability (CVE-2018-7602)

Severity

High

Classification

CVE-2019-20203 CVE-2019-20204 CWE-79 CWE-264 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update