This PoC describe how to exploit Postie WordPress plugin <v1.9.40
I will describe two ways to explore the Postie v1.9.40 plugin for WordPress:
- Spoofing valid user for post submission // I published this CVE-2019-20203
- XSS with JavaScript Polyglot // I published this CVE-2019-20204
Postie allows you to create a post by simply sending an email. Create and edit your email in whatever email program you use. Click send and within a few minutes you have a new post!
More info here
The Postie plugin for WordPress only allows posting of articles submitted by authorized users through a mailing list registered in the plugin settings.
However through the email sender's spoofing technique (as example, i used the Anonymailer website) it was possible to bypass the plugin settings and publish a post as having been sent by a valid user, as shown in the images below.
This PoC is hosted here
Below we have the images of first PoC:
Another way to exploit the Postie plugin was a Cross-Site Script (XSS) attack using Polyglot JavaScript syntax with crafted SVG, as follows:
jaVasCript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
The above syntax can be explained as follows:
jaVasCript:: A label in ECMAScript; a URI scheme otherwise./-//*\/'/"/**/: A multi-line comment in ECMAScript; a literal-breaker sequence.(/* */oNcliCk=alert() ): A tangled execution zone wrapped in invoking parenthesis!//%0D%0A%0d%0a//: A single-line comment in ECMAScript; a double-CRLF in HTTP response headers.:A sneaky HTML-tag-breaker sequence.\x3csVg/\x3e: An innocuous svg element.
This is a way to inject JavaScript code into post to bypass WordPress security policy through the Postie plugin vulnerability.
This PoC is hosted here
This is the exploit on Exploit DB here
Below we have the images of secound PoC:







