CVE-2024-5200

Vulnerability

Overview The Postie WordPress plugin versions prior to 1.9.71 contain a Stored Cross-Site Scripting (XSS) vulnerability due to insufficient sanitization and escaping of certain plugin settings. This allows authenticated users with high privileges, such as administrators, to inject malicious scripts that are stored and later executed in the context of other users' browsers.

Attack

Vector The attack requires administrative access to the plugin's settings page. The vulnerability is particularly significant in multisite WordPress installations where the unfiltered_html capability is typically restricted to super admins only. Even with this restriction in place, an admin user can craft a malicious payload within the unsanitized settings field, which is then stored and served to other users (including other admins or lower-privilege users) when they view the affected settings page or related content.

Impact

Successful exploitation leads to Stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of victims' sessions. This can result in session hijacking, defacement, theft of sensitive data, or further privilege escalation within the WordPress environment.

Mitigation

The vulnerability has been fixed in version 1.9.71 of the Postie plugin. Users are advised to update to the latest version immediately. No workaround is available beyond applying the patch [1].