Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Exploiting Postie WordPress Plugin

This PoC describe how to exploit Postie WordPress plugin <v1.9.40

I will describe two ways to explore the Postie v1.9.40 plugin for WordPress:


About Postie WordPress plugin

Postie allows you to create a post by simply sending an email. Create and edit your email in whatever email program you use. Click send and within a few minutes you have a new post!

More info here


PoC 1 - Spoofing valid user for post submission

The Postie plugin for WordPress only allows posting of articles submitted by authorized users through a mailing list registered in the plugin settings.

However through the email sender's spoofing technique (as example, i used the Anonymailer website) it was possible to bypass the plugin settings and publish a post as having been sent by a valid user, as shown in the images below.

This PoC is hosted here


Below we have the images of first PoC:

p8

p5

p6

p7


PoC 2 - XSS with JavaScript Polyglot

Another way to exploit the Postie plugin was a Cross-Site Script (XSS) attack using Polyglot JavaScript syntax with crafted SVG, as follows:

jaVasCript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

The above syntax can be explained as follows:

  • jaVasCript:: A label in ECMAScript; a URI scheme otherwise.
  • /-//*\/'/"/**/: A multi-line comment in ECMAScript; a literal-breaker sequence.
  • (/* */oNcliCk=alert() ): A tangled execution zone wrapped in invoking parenthesis!
  • //%0D%0A%0d%0a//: A single-line comment in ECMAScript; a double-CRLF in HTTP response headers.
  • : A sneaky HTML-tag-breaker sequence.
  • \x3csVg/\x3e: An innocuous svg element.

This is a way to inject JavaScript code into post to bypass WordPress security policy through the Postie plugin vulnerability.

This PoC is hosted here

This is the exploit on Exploit DB here


Below we have the images of secound PoC:

p1

p2

p3

p4