CVE-2024-5200
BaseFortify
Publication date: 2025-09-29
Last updated on: 2025-11-13
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | postie | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-5200 is a Stored Cross-Site Scripting (XSS) vulnerability in the Postie WordPress plugin versions before 1.9.71. It occurs because the plugin does not properly sanitize and escape certain settings, allowing high-privilege users like administrators to inject malicious scripts. This can happen even if the unfiltered_html capability is disabled, such as in multisite WordPress setups. An example is inserting a malicious payload into the image custom template field, which then executes when the settings page is accessed. [1]
How can this vulnerability impact me? :
This vulnerability allows high-privilege users to inject and store malicious scripts that execute when the affected settings page is viewed. This can lead to unauthorized actions such as stealing cookies, session hijacking, or other malicious activities within the WordPress admin interface. Although the severity is rated low (CVSS 3.5), it can compromise the security of the WordPress site and its users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Postie WordPress plugin version is prior to 1.9.71. Additionally, a proof of concept involves navigating to the Postie Β» Image settings page and inserting a test XSS payload such as `<img src=x onerror=alert(document.cookie) />` into the image custom template field. If the payload triggers an alert when the settings page is accessed, the vulnerability is present. There are no specific network commands provided, but verifying the plugin version and testing the image custom template field for stored XSS can help detect it. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Postie WordPress plugin to version 1.9.71 or later, where the issue has been fixed. Until the update is applied, restrict high privilege user access to the Postie plugin settings to prevent exploitation. [1]